<!DOCTYPE html>
<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="en-US">
<!--<![endif]-->
<head>
	
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="http://gmpg.org/xfn/11">

				<meta name="awa-pageType" content="Post">
						<meta name="awa-market" content="en-us">
						<meta name="awa-env" content="Production">
						<meta name="awa‐asst" content="114366">
			<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v18.2 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog</title>
	<link rel="canonical" href="https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog" />
	<meta property="og:description" content="Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malware&#039;s capabilities and key infection signs." />
	<meta property="og:url" content="https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/" />
	<meta property="og:site_name" content="Microsoft Security Blog" />
	<meta property="article:published_time" content="2022-05-19T16:00:00+00:00" />
	<meta property="article:modified_time" content="2022-05-19T16:14:43+00:00" />
	<meta property="og:image" content="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/XorDdos-social-2.png" />
	<meta property="og:image:width" content="1740" />
	<meta property="og:image:height" content="870" />
	<meta property="og:image:type" content="image/png" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:image" content="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/XorDdos-social-2.png" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Microsoft 365 Defender Research Team" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="22 min read" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.microsoft.com/security/blog/#organization","name":"Microsoft Security Blog","url":"https://www.microsoft.com/security/blog/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https://www.microsoft.com/security/blog/#logo","inLanguage":"en-US","url":"https://www.microsoft.com/security/blog/uploads/2018/08/cropped-cropped-microsoft_logo_element.png","contentUrl":"https://www.microsoft.com/security/blog/uploads/2018/08/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https://www.microsoft.com/security/blog/#logo"}},{"@type":"WebSite","@id":"https://www.microsoft.com/security/blog/#website","url":"https://www.microsoft.com/security/blog/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https://www.microsoft.com/security/blog/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.microsoft.com/security/blog/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#primaryimage","inLanguage":"en-US","url":"https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/XorDdos-social-2.png","contentUrl":"https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/XorDdos-social-2.png","width":1740,"height":870,"caption":"A diagram depicting a typical attack flow for XorDdos malware. The attacker communicates with a bot to SSH brute force a target device and download XorDdos. The malware then performs several techniques for evasion and persistence before connecting with the attacker's C2 server to send data and receive commands."},{"@type":"WebPage","@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#webpage","url":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/","name":"Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog","isPartOf":{"@id":"https://www.microsoft.com/security/blog/#website"},"primaryImageOfPage":{"@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#primaryimage"},"datePublished":"2022-05-19T16:00:00+00:00","dateModified":"2022-05-19T16:14:43+00:00","breadcrumb":{"@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"]}]},{"@type":"BreadcrumbList","@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.microsoft.com/security/blog/"},{"@type":"ListItem","position":2,"name":"Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices"}]},{"@type":"Article","@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#article","isPartOf":{"@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#webpage"},"author":[{"@id":"https://www.microsoft.com/security/blog/author/microsoft-defender-research-team/","@type":"Person","@name":"Microsoft 365 Defender Research Team"}],"headline":"Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices","datePublished":"2022-05-19T16:00:00+00:00","dateModified":"2022-05-19T16:14:43+00:00","mainEntityOfPage":{"@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#webpage"},"wordCount":5369,"publisher":{"@id":"https://www.microsoft.com/security/blog/#organization"},"image":{"@id":"https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/#primaryimage"},"thumbnailUrl":"https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/XorDdos-featured-image-1.png","keywords":["LINUX","malware","Microsoft","Microsoft security intelligence","Security"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//wcpstatic.microsoft.com' />
<link rel='dns-prefetch' href='//www.microsoft.com' />
<link rel='dns-prefetch' href='//js.monitor.azure.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Microsoft Security Blog &raquo; Feed" href="https://www.microsoft.com/security/blog/feed/" />
<link rel="alternate" type="application/rss+xml" title="Microsoft Security Blog &raquo; Comments Feed" href="https://www.microsoft.com/security/blog/comments/feed/" />
<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.microsoft.com\/security\/blog\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.9.3"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://www.microsoft.com/security/blog/wp-includes/css/dist/block-library/style.min.css?ver=5.9.3' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='ms-oembed-jsgif-styles-css'  href='https://www.microsoft.com/security/blog/wp-content/plugins/oembeds/assets/styles/jsgif.css?ver=1.1.1' type='text/css' media='all' />
<style id='oneplayer_embed_css-inline-css' type='text/css'>
.fluid-iframe {
	height: 0;
	margin-top: 30px;
	min-width: 320px;
	overflow: hidden;
	padding-bottom: 56.25%;
	position: relative;
}
.fluid-iframe iframe {
	border: none;
	height: 100%;
	left: 0;
	position: absolute;
	top: 0;
	width: 100%;
}
.fluid-iframe.override {
	max-width: 100%;
	min-width: 320px;
	padding-bottom: inherit;
}
@media only screen and (max-width: 1083px) and (min-width: 374px) {
	.fluid-iframe.override {
		margin: 0 auto;
	}
}

@media only screen and (max-width: 373px) {
	.fluid-iframe {
		margin-left: -26px;
		margin-right: -26px;
	}
}
</style>
<link rel='stylesheet' id='wds-ms-inline-interruption-styles-officeblogs-css'  href='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-inline-interruption-styles-officeblogs/css/styles.css?ver=1653573832' type='text/css' media='all' />
<link rel='stylesheet' id='uhf-search-ui-css'  href='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-searchwp/features/uhf-search-ui/uhf-search-ui.css?ver=1.0.1' type='text/css' media='all' />
<link rel='stylesheet' id='mwf-style-css'  href='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/css/mwf-west-european-default.min.css?ver=5.9.3' type='text/css' media='all' />
<link rel='stylesheet' id='microsoft-style-css'  href='https://www.microsoft.com/security/blog/wp-content/themes/ms_s/style.css?ver=1.0.0' type='text/css' media='all' />
<link rel='stylesheet' id='microsoft-child-style-css'  href='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/style.min.css?ver=2.4.3' type='text/css' media='all' />
<script type='text/javascript' src='https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js' id='wcp-consent-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' src='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/scripts/mwf-main.var.min.js?ver=v1.23.2+5182151' id='mwf-main-js'></script>
<script type='text/javascript' src='https://js.monitor.azure.com/scripts/c/ms.analytics-web-3.min.js' id='oneds-tracking-js'></script>
<link rel="https://api.w.org/" href="https://www.microsoft.com/security/blog/wp-json/" /><link rel="alternate" type="application/json" href="https://www.microsoft.com/security/blog/wp-json/wp/v2/posts/114366" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.microsoft.com/security/blog/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.microsoft.com/security/blog/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.9.3" />
<link rel='shortlink' href='https://www.microsoft.com/security/blog/?p=114366' />
<link rel="alternate" type="application/json+oembed" href="https://www.microsoft.com/security/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.microsoft.com/security/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F&#038;format=xml" />
<link rel="stylesheet" href="https://www.microsoft.com/onerfstatics/marketingsites-wcus-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/79-4cdd0a/33-ae3d41/a5-4bf7a2/13-8e1ceb/81-32f0c0/5c-b7b685/dd-4224e1/ef-a24652?ver=2.0&amp;_cf=20210618" type="text/css" media="all" /><link rel='stylesheet' href='https://statics-marketingsites-wcus-ms-com.akamaized.net/statics/override.css' type='text/css' /><style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style>
	<!-- LinkedIn Code -->
	<script type="text/javascript">
		var _linkedin_data_partner_id = "7850";
		function linkedinTracking(){
			var s = document.getElementsByTagName("script")[0];
			var b = document.createElement("script");
			b.type = "text/javascript";b.async = true;
			b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js";
			s.parentNode.insertBefore(b, s);
		}
	</script>
	<!-- End LinkedIn Code -->

	
	<!-- GDC Code -->
	<script>
		function gdcTracking() {
			var s = document.createElement( 'script' );
			var src = "//query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE1r2ij";
			s.setAttribute( 'src', src );
			document.head.appendChild( s );
		}
	</script>
	<!-- End GDC Code -->

			<style type="text/css" id="wp-custom-css">
			.syntaxhighlighter .toolbar span a.toolbar_item{
   display: none !important;
} 

.syntaxhighlighter div.toolbar {
  background: none !important;
}		</style>
		<script src="https://www.microsoft.com/onerfstatics/marketingsites-wcus-prod/shell/_scrf/js/themes=default/8e-e88b64/93-04b71e/dd-2cee44/49-a00ab0/92-02e55d/7c-dcea75/75-fca72d/ed-e77ee7/d5-bf34c0/a9-078595/7a-7ea8cc/2d-40bdad/23-e8cd2b/96-eb5423/e6-6b0cce/d1-98d78a/a0-23c4ba/a7-f7a340/48-6ed936/2e-ca165a/fc-169dd8/8e-60935c/87-fecbed/96-6ed6eb/c3-eb62e0/ad-ffd6bf/35-621acc/b0-07f293/1e-9d9d16/52-f0367f/1f-b57352/c3-e25a15/e1-ed258e/20-0b10e2/6b-0f1117/fb-5e9831/37-8473b9?ver=2.0&_cf=20210618&iife=1"></script><script src="https://mem.gfx.ms/meversion?partner=MSSecurity&market=en-us&uhf=1" defer></script>	<link rel="pingback" href="">

	<style>
	#ms-cookie-banner p {
		padding-top: 0;
	}
	</style>
</head>

<body class="post-template-default single single-post postid-114366 single-format-standard microsoft-uhf no-featured-image group-blog no-js not-ready document-locale-en_US">
<div id="ms-cookie-banner"></div><div id="page" class="site">
	<a class="m-skip-to-main" href="#mainContent" tabindex="0">Skip to main content</a>

	<!-- start universal header -->
			<div id="headerArea" class="uhf"  data-m='{"cN":"headerArea","cT":"Area_coreuiArea","id":"a1Body","sN":1,"aN":"Body"}'>
                <div id="headerRegion"      data-region-key="headerregion" data-m='{"cN":"headerRegion","cT":"Region_coreui-region","id":"r1a1","sN":1,"aN":"a1"}' >

    <div  id="headerUniversalHeader" data-m='{"cN":"headerUniversalHeader","cT":"Module_coreui-universalheader","id":"m1r1a1","sN":1,"aN":"r1a1"}'  data-module-id="Category|headerRegion|coreui-region|headerUniversalHeader|coreui-universalheader">
        

                        <div id="epb" class="x-hidden x-hidden-vp-mobile-st uhfc-universal-context context-uhf" data-m='{"cN":"epb_cont","cT":"Container","id":"c1m1r1a1","sN":1,"aN":"m1r1a1"}'>

	<div class="c-uhfh-alert f-information epb-container theme-light" role="dialog" aria-label="Promotional Banner" data-m='{"cT":"Container","id":"c1c1m1r1a1","sN":1,"aN":"c1m1r1a1"}' data-pb="[{&quot;Browser&quot;:&quot;anaheim&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://go.microsoft.com/fwlink/?linkid=2128969&amp;pc=W037&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;Explore the world from your desktop—one photo at a time. Get the Bing Wallpaper app today.&quot;,&quot;Paragraph&quot;:&quot;Bring your desktop to life with daily backgrounds when you get Bing Wallpaper&quot;,&quot;ActionLinkText&quot;:&quot;Get it now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Get it now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;edge&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://aka.ms/MicrosoftEdgeDownload&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;Try the browser recommended by Microsoft&quot;,&quot;Paragraph&quot;:&quot;Get speed, security and privacy with Microsoft Edge&quot;,&quot;ActionLinkText&quot;:&quot;Download now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Download now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;non-anaheim&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://www.microsoft.com/en-us/edge/launch/edgeperformanceuhf&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;Microsoft Edge is the only browser optimized for Windows.&quot;,&quot;Paragraph&quot;:&quot;Maximize your PC performance with features like Sleeping Tabs and Startup Boost.&quot;,&quot;ActionLinkText&quot;:&quot;Switch now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Switch now&quot;,&quot;DismissText&quot;:&quot;Close&quot;,&quot;DismissAriaLabel&quot;:&quot;Close&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;firefox&quot;,&quot;ExtensionType&quot;:&quot;rewards&quot;,&quot;ExtensionUrl&quot;:&quot;https://browserdefaults.microsoft.com/extn/redirect/?xid=6&amp;br=mf&amp;channel=uhf&amp;pc=U564&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-blue&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4mFZT?ver=7321&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4mDoE?ver=3feb&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-blue&quot;,&quot;Title&quot;:&quot;Maximize your points with the Microsoft Rewards extension&quot;,&quot;Paragraph&quot;:&quot;Quick access to your daily points and offers&quot;,&quot;ActionLinkText&quot;:&quot;Add it now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Add it now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;}]" data-pb-g="true">
		<div>
			<div class="c-paragraph">
				<img alt="" data-src="" src="" class="f-img-lzy" />
				<span class="c-text-group pb-content">
					<span class="epb-launch pb-content-heading"></span>
					<span class="epb-text pb-content-text"></span>
				</span>
			</div>
			<span class="c-group">
				<button id="close-epb" class="c-action-trigger c-action-cancel glyph-cancel" data-m='{"cN":"PB-dismiss_nonnav","id":"nn1c1c1m1r1a1","sN":1,"aN":"c1c1m1r1a1"}'></button>
				<a id="epbTryNow" href="" target="_blank" class="epb-launch c-action-trigger c-action-open" data-m='{"cN":"PB-launch_nav","id":"n2c1c1m1r1a1","sN":2,"aN":"c1c1m1r1a1"}'></a>
			</span>
		</div>
	</div>





                            
                        </div>




        <a id="uhfSkipToMain" class="m-skip-to-main" href="javascript:void(0)" data-href="#mainContent" tabindex="0" data-m='{"cN":"Skip to content_nonnav","id":"nn2c1m1r1a1","sN":2,"aN":"c1m1r1a1"}'>Skip to main content</a>


<header class="c-uhfh context-uhf no-js c-sgl-stck c-category-header " itemscope="itemscope" data-header-footprint="/MSSecurity/MSSecurityHeader, fromService: True"   data-magict="true"  itemtype="http://schema.org/Organization">
    <div class="theme-light js-global-head f-closed  global-head-cont" data-m='{"cN":"Universal Header_cont","cT":"Container","id":"c3c1m1r1a1","sN":3,"aN":"c1m1r1a1"}'>
        <div class="c-uhfh-gcontainer-st">
            <button type="button" class="c-action-trigger c-glyph glyph-global-nav-button" aria-label="All Microsoft expand to see list of Microsoft products and services" initialState-label="All Microsoft expand to see list of Microsoft products and services" toggleState-label="Close All Microsoft list" aria-expanded="false" data-m='{"cN":"Mobile menu button_nonnav","id":"nn1c3c1m1r1a1","sN":1,"aN":"c3c1m1r1a1"}'></button>
            <button type="button" class="c-action-trigger c-glyph glyph-arrow-htmllegacy c-close-search" aria-label="Close search" aria-expanded="false" data-m='{"cN":"Close Search_nonnav","id":"nn2c3c1m1r1a1","sN":2,"aN":"c3c1m1r1a1"}'></button>
                    <a id="uhfLogo" class="c-logo c-sgl-stk-uhfLogo" itemprop="url" href="https://www.microsoft.com" aria-label="Microsoft" data-m='{"cN":"GlobalNav_Logo_cont","cT":"Container","id":"c3c3c1m1r1a1","sN":3,"aN":"c3c1m1r1a1"}'>
                        <img alt="" itemprop="logo" class="c-image" src="https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31" role="presentation" aria-hidden="true" />
                        <span itemprop="name" role="presentation" aria-hidden="true">Microsoft</span>
                    </a>
            <div class="f-mobile-title">
                <button type="button" class="c-action-trigger c-glyph glyph-chevron-left" aria-label="See more menu options" data-m='{"cN":"Mobile back button_nonnav","id":"nn4c3c1m1r1a1","sN":4,"aN":"c3c1m1r1a1"}'></button>
                <span data-global-title="Microsoft home" class="js-mobile-title">Microsoft Security</span>
                <button type="button" class="c-action-trigger c-glyph glyph-chevron-right" aria-label="See more menu options" data-m='{"cN":"Mobile forward button_nonnav","id":"nn5c3c1m1r1a1","sN":5,"aN":"c3c1m1r1a1"}'></button>
            </div>
                    <div class="c-show-pipe x-hidden-vp-mobile-st">
                        <a id="uhfCatLogo" class="c-logo c-cat-logo" href="https://www.microsoft.com/en-us/security" aria-label="Microsoft Security" itemprop="url" data-m='{"cN":"CatNav_Microsoft Security_nav","id":"n6c3c1m1r1a1","sN":6,"aN":"c3c1m1r1a1"}'>
                                <span>Microsoft Security</span>
                        </a>
                    </div>
                <div class="cat-logo-button-cont x-hidden">
                        <button type="button" id="uhfCatLogoButton" class="c-cat-logo-button x-hidden" aria-expanded="false" aria-label="Microsoft Security" data-m='{"cN":"Microsoft Security_nonnav","id":"nn7c3c1m1r1a1","sN":7,"aN":"c3c1m1r1a1"}'>
                            Microsoft Security
                        </button>
                </div>



                    <nav id="uhf-g-nav" aria-label="Contextual menu" class="c-uhfh-gnav" data-m='{"cN":"Category nav_cont","cT":"Container","id":"c8c3c1m1r1a1","sN":8,"aN":"c3c1m1r1a1"}'>
            <ul class="js-paddle-items">
                    <li class="single-link js-nav-menu x-hidden-none-mobile-vp uhf-menu-item">
                        <a class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security" data-m='{"cN":"CatNav_Home_nav","id":"n1c8c3c1m1r1a1","sN":1,"aN":"c8c3c1m1r1a1"}' > Home </a>
                    </li>
                                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_42"  aria-expanded="false" data-m='{"id":"nn2c8c3c1m1r1a1","sN":2,"aN":"c8c3c1m1r1a1"}'>Solutions </button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c3c8c3c1m1r1a1","sN":3,"aN":"c8c3c1m1r1a1"}'>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c1c3c8c3c1m1r1a1","sN":1,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_43" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/cloud-security" data-m='{"id":"n1c1c3c8c3c1m1r1a1","sN":1,"aN":"c1c3c8c3c1m1r1a1"}'>Cloud security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Solutions_IdentityAccessManagement_cont","cT":"Container","id":"c2c3c8c3c1m1r1a1","sN":2,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_44" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/identity-access-management/" data-m='{"cN":"CatNav_Solutions_IdentityAccessManagement_nav","id":"n1c2c3c8c3c1m1r1a1","sN":1,"aN":"c2c3c8c3c1m1r1a1"}'>Control and manage access</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c3c8c3c1m1r1a1","sN":3,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_45" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/solutions/information-protection" data-m='{"id":"n1c3c3c8c3c1m1r1a1","sN":1,"aN":"c3c3c8c3c1m1r1a1"}'>Information protection &amp; governance</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Solutions_RansomwareProtection_cont","cT":"Container","id":"c4c3c8c3c1m1r1a1","sN":4,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_46" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/business/solutions/ransomware-protection-for-businesses" data-m='{"cN":"CatNav_Solutions_RansomwareProtection_nav","id":"n1c4c3c8c3c1m1r1a1","sN":1,"aN":"c4c3c8c3c1m1r1a1"}'>Ransomware</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c3c8c3c1m1r1a1","sN":5,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_47" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/secure-remote-work" data-m='{"id":"n1c5c3c8c3c1m1r1a1","sN":1,"aN":"c5c3c8c3c1m1r1a1"}'>Secure remote work</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c6c3c8c3c1m1r1a1","sN":6,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_48" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/solutions/risk-management" data-m='{"id":"n1c6c3c8c3c1m1r1a1","sN":1,"aN":"c6c3c8c3c1m1r1a1"}'>Risk management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c7c3c8c3c1m1r1a1","sN":7,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_49" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection" data-m='{"id":"n1c7c3c8c3c1m1r1a1","sN":1,"aN":"c7c3c8c3c1m1r1a1"}'>SIEM &amp; XDR</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Solutions_SMB_cont","cT":"Container","id":"c8c3c8c3c1m1r1a1","sN":8,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_50" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/solutions/security-for-small-and-medium-business" data-m='{"cN":"CatNav_Solutions_SMB_nav","id":"n1c8c3c8c3c1m1r1a1","sN":1,"aN":"c8c3c8c3c1m1r1a1"}'>Small &amp; medium business</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c9c3c8c3c1m1r1a1","sN":9,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_51" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/zero-trust" data-m='{"id":"n1c9c3c8c3c1m1r1a1","sN":1,"aN":"c9c3c8c3c1m1r1a1"}'>Zero Trust</a>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_52"  aria-expanded="false" data-m='{"id":"nn4c8c3c1m1r1a1","sN":4,"aN":"c8c3c1m1r1a1"}'>Products </button>

                                <ul class="f-multi-column f-multi-column-6" data-class-idn="f-multi-column f-multi-column-6" aria-hidden="true" data-m='{"cT":"Container","id":"c5c8c3c1m1r1a1","sN":5,"aN":"c8c3c1m1r1a1"}'>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c1c5c8c3c1m1r1a1","sN":1,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_53-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c1c5c8c3c1m1r1a1","sN":1,"aN":"c1c5c8c3c1m1r1a1"}'>Identity &amp; access management</span>
    <button id="uhf-navbtn-shellmenu_53-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c1c5c8c3c1m1r1a1","sN":2,"aN":"c1c5c8c3c1m1r1a1"}'>Identity &amp; access management</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_53-span">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c1c5c8c3c1m1r1a1","sN":3,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_54" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/identity-access-management/azure-active-directory" data-m='{"id":"n1c3c1c5c8c3c1m1r1a1","sN":1,"aN":"c3c1c5c8c3c1m1r1a1"}'>Azure Active Directory</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c1c5c8c3c1m1r1a1","sN":4,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_55" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/identity-access-management/permissions-management" data-m='{"id":"n1c4c1c5c8c3c1m1r1a1","sN":1,"aN":"c4c1c5c8c3c1m1r1a1"}'>CloudKnox Permissions Management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_VerifiedID_cont","cT":"Container","id":"c5c1c5c8c3c1m1r1a1","sN":5,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_56" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/identity-access-management/verifiable-credentials" data-m='{"cN":"CatNav_Products_VerifiedID_nav","id":"n1c5c1c5c8c3c1m1r1a1","sN":1,"aN":"c5c1c5c8c3c1m1r1a1"}'>Verifiable credentials in Azure AD</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_AzureKeyVault_cont","cT":"Container","id":"c6c1c5c8c3c1m1r1a1","sN":6,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_57" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/key-vault/" data-m='{"cN":"CatNav_Products_AzureKeyVault_nav","id":"n1c6c1c5c8c3c1m1r1a1","sN":1,"aN":"c6c1c5c8c3c1m1r1a1"}'>Azure Key Vault</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c2c5c8c3c1m1r1a1","sN":2,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_58-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c2c5c8c3c1m1r1a1","sN":1,"aN":"c2c5c8c3c1m1r1a1"}'>SIEM &amp; XDR</span>
    <button id="uhf-navbtn-shellmenu_58-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c2c5c8c3c1m1r1a1","sN":2,"aN":"c2c5c8c3c1m1r1a1"}'>SIEM &amp; XDR</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_58-span">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c2c5c8c3c1m1r1a1","sN":3,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_59" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-sentinel/" data-m='{"id":"n1c3c2c5c8c3c1m1r1a1","sN":1,"aN":"c3c2c5c8c3c1m1r1a1"}'>Microsoft Sentinel</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c2c5c8c3c1m1r1a1","sN":4,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_60" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-defender/" data-m='{"id":"n1c4c2c5c8c3c1m1r1a1","sN":1,"aN":"c4c2c5c8c3c1m1r1a1"}'>Microsoft Defender for Cloud</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c2c5c8c3c1m1r1a1","sN":5,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_61" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-365-defender" data-m='{"id":"n1c5c2c5c8c3c1m1r1a1","sN":1,"aN":"c5c2c5c8c3c1m1r1a1"}'>Microsoft 365 Defender</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c6c2c5c8c3c1m1r1a1","sN":6,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_62" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/endpoint-defender" data-m='{"id":"n1c6c2c5c8c3c1m1r1a1","sN":1,"aN":"c6c2c5c8c3c1m1r1a1"}'>Microsoft Defender for Endpoint</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c7c2c5c8c3c1m1r1a1","sN":7,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_63" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/office-365-defender" data-m='{"id":"n1c7c2c5c8c3c1m1r1a1","sN":1,"aN":"c7c2c5c8c3c1m1r1a1"}'>Microsoft Defender for Office 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c8c2c5c8c3c1m1r1a1","sN":8,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_64" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/identity-defender" data-m='{"id":"n1c8c2c5c8c3c1m1r1a1","sN":1,"aN":"c8c2c5c8c3c1m1r1a1"}'>Microsoft Defender for Identity</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c9c2c5c8c3c1m1r1a1","sN":9,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_65" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/cloud-apps-defender" data-m='{"id":"n1c9c2c5c8c3c1m1r1a1","sN":1,"aN":"c9c2c5c8c3c1m1r1a1"}'>Microsoft Defender for Cloud Apps</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_DefenderVulnerability_cont","cT":"Container","id":"c10c2c5c8c3c1m1r1a1","sN":10,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_66" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-defender-vulnerability-management " data-m='{"cN":"CatNav_Products_DefenderVulnerability_nav","id":"n1c10c2c5c8c3c1m1r1a1","sN":1,"aN":"c10c2c5c8c3c1m1r1a1"}'>Microsoft Defender Vulnerability Management</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c3c5c8c3c1m1r1a1","sN":3,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_67-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c3c5c8c3c1m1r1a1","sN":1,"aN":"c3c5c8c3c1m1r1a1"}'>Cloud Security</span>
    <button id="uhf-navbtn-shellmenu_67-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c3c5c8c3c1m1r1a1","sN":2,"aN":"c3c5c8c3c1m1r1a1"}'>Cloud Security</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_67-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_DefenderCloud_cont","cT":"Container","id":"c3c3c5c8c3c1m1r1a1","sN":3,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_68" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/defender-for-cloud/" data-m='{"cN":"CatNav_Products_DefenderCloud_nav","id":"n1c3c3c5c8c3c1m1r1a1","sN":1,"aN":"c3c3c5c8c3c1m1r1a1"}'>Microsoft Defender for Cloud</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_AzureFirewall_cont","cT":"Container","id":"c4c3c5c8c3c1m1r1a1","sN":4,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_69" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-firewall/" data-m='{"cN":"CatNav_Products_AzureFirewall_nav","id":"n1c4c3c5c8c3c1m1r1a1","sN":1,"aN":"c4c3c5c8c3c1m1r1a1"}'>Azure Firewall</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_AzureWebAppFirewall_cont","cT":"Container","id":"c5c3c5c8c3c1m1r1a1","sN":5,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_70" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/web-application-firewall/" data-m='{"cN":"CatNav_Products_AzureWebAppFirewall_nav","id":"n1c5c3c5c8c3c1m1r1a1","sN":1,"aN":"c5c3c5c8c3c1m1r1a1"}'>Azure Web App Firewall</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_AzureDDoSProtection_cont","cT":"Container","id":"c6c3c5c8c3c1m1r1a1","sN":6,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_71" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/ddos-protection/" data-m='{"cN":"CatNav_Products_AzureDDoSProtection_nav","id":"n1c6c3c5c8c3c1m1r1a1","sN":1,"aN":"c6c3c5c8c3c1m1r1a1"}'>Azure DDoS Protection</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_GitHubAdvancedSecurty_cont","cT":"Container","id":"c7c3c5c8c3c1m1r1a1","sN":7,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_72" class="js-subm-uhf-nav-link" href="https://github.com/features/security" data-m='{"cN":"CatNav_Products_GitHubAdvancedSecurty_nav","id":"n1c7c3c5c8c3c1m1r1a1","sN":1,"aN":"c7c3c5c8c3c1m1r1a1"}'>GitHub Advanced Security</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c4c5c8c3c1m1r1a1","sN":4,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_73-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c4c5c8c3c1m1r1a1","sN":1,"aN":"c4c5c8c3c1m1r1a1"}'>Endpoint security</span>
    <button id="uhf-navbtn-shellmenu_73-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c4c5c8c3c1m1r1a1","sN":2,"aN":"c4c5c8c3c1m1r1a1"}'>Endpoint security</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_73-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_M365Defender_cont","cT":"Container","id":"c3c4c5c8c3c1m1r1a1","sN":3,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_74" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-365-defender" data-m='{"cN":"CatNav_Products_M365Defender_nav","id":"n1c3c4c5c8c3c1m1r1a1","sN":1,"aN":"c3c4c5c8c3c1m1r1a1"}'>Microsoft 365 Defender</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c4c5c8c3c1m1r1a1","sN":4,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_75" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/endpoint-defender" data-m='{"id":"n1c4c4c5c8c3c1m1r1a1","sN":1,"aN":"c4c4c5c8c3c1m1r1a1"}'>Microsoft Defender for Endpoint</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c4c5c8c3c1m1r1a1","sN":5,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_76" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-defender-for-iot/" data-m='{"id":"n1c5c4c5c8c3c1m1r1a1","sN":1,"aN":"c5c4c5c8c3c1m1r1a1"}'>Microsoft Defender for IoT</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_DefenderforBusiness_cont","cT":"Container","id":"c6c4c5c8c3c1m1r1a1","sN":6,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_77" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-business" data-m='{"cN":"CatNav_Products_DefenderforBusiness_nav","id":"n1c6c4c5c8c3c1m1r1a1","sN":1,"aN":"c6c4c5c8c3c1m1r1a1"}'>Microsoft Defender for Business</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_DefenderVulnerability_cont","cT":"Container","id":"c7c4c5c8c3c1m1r1a1","sN":7,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_78" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-defender-vulnerability-management " data-m='{"cN":"CatNav_Products_DefenderVulnerability_nav","id":"n1c7c4c5c8c3c1m1r1a1","sN":1,"aN":"c7c4c5c8c3c1m1r1a1"}'>Microsoft Defender Vulnerability Management</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c5c5c8c3c1m1r1a1","sN":5,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_79-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c5c5c8c3c1m1r1a1","sN":1,"aN":"c5c5c8c3c1m1r1a1"}'>Identity Threat Protection</span>
    <button id="uhf-navbtn-shellmenu_79-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c5c5c8c3c1m1r1a1","sN":2,"aN":"c5c5c8c3c1m1r1a1"}'>Identity Threat Protection</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_79-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_DefenderIdentity_cont","cT":"Container","id":"c3c5c5c8c3c1m1r1a1","sN":3,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_80" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection/identity-defender" data-m='{"cN":"CatNav_Products_DefenderIdentity_nav","id":"n1c3c5c5c8c3c1m1r1a1","sN":1,"aN":"c3c5c5c8c3c1m1r1a1"}'>Microsoft Defender for Identity</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c5c5c8c3c1m1r1a1","sN":4,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_81" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/business/identity-access-management/identity-protection" data-m='{"id":"n1c4c5c5c8c3c1m1r1a1","sN":1,"aN":"c4c5c5c8c3c1m1r1a1"}'>Azure AD Identity Protection</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c6c5c8c3c1m1r1a1","sN":6,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_82-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c6c5c8c3c1m1r1a1","sN":1,"aN":"c6c5c8c3c1m1r1a1"}'>Risk Management &amp; Privacy</span>
    <button id="uhf-navbtn-shellmenu_82-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c6c5c8c3c1m1r1a1","sN":2,"aN":"c6c5c8c3c1m1r1a1"}'>Risk Management &amp; Privacy</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_82-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_Purview_cont","cT":"Container","id":"c3c6c5c8c3c1m1r1a1","sN":3,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_83" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/microsoft-purview" data-m='{"cN":"CatNav_Products_Purview_nav","id":"n1c3c6c5c8c3c1m1r1a1","sN":1,"aN":"c3c6c5c8c3c1m1r1a1"}'>Microsoft Purview Overview</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewInsiderRiskManagement_cont","cT":"Container","id":"c4c6c5c8c3c1m1r1a1","sN":4,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_84" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/risk-management/microsoft-purview-insider-risk-management" data-m='{"cN":"CatNav_Products_PurviewInsiderRiskManagement_nav","id":"n1c4c6c5c8c3c1m1r1a1","sN":1,"aN":"c4c6c5c8c3c1m1r1a1"}'>Microsoft Purview Insider Risk Management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewCommunicationCompliance_cont","cT":"Container","id":"c5c6c5c8c3c1m1r1a1","sN":5,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_85" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/risk-management/microsoft-purview-communication-compliance" data-m='{"cN":"CatNav_Products_PurviewCommunicationCompliance_nav","id":"n1c5c6c5c8c3c1m1r1a1","sN":1,"aN":"c5c6c5c8c3c1m1r1a1"}'>Microsoft Purview Communication Compliance</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurvieweDiscovery_cont","cT":"Container","id":"c6c6c5c8c3c1m1r1a1","sN":6,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_86" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/risk-management/microsoft-purview-ediscovery" data-m='{"cN":"CatNav_Products_PurvieweDiscovery_nav","id":"n1c6c6c5c8c3c1m1r1a1","sN":1,"aN":"c6c6c5c8c3c1m1r1a1"}'>Microsoft Purview eDiscovery</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewComplianceManager_cont","cT":"Container","id":"c7c6c5c8c3c1m1r1a1","sN":7,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_87" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/risk-management/microsoft-purview-compliance-manager" data-m='{"cN":"CatNav_Products_PurviewComplianceManager_nav","id":"n1c7c6c5c8c3c1m1r1a1","sN":1,"aN":"c7c6c5c8c3c1m1r1a1"}'>Microsoft Purview Compliance Manager</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PrivaRiskManagement_cont","cT":"Container","id":"c8c6c5c8c3c1m1r1a1","sN":8,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_88" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/privacy/priva-privacy-management-software" data-m='{"cN":"CatNav_Products_PrivaRiskManagement_nav","id":"n1c8c6c5c8c3c1m1r1a1","sN":1,"aN":"c8c6c5c8c3c1m1r1a1"}'>Microsoft Priva Risk Management</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c7c5c8c3c1m1r1a1","sN":7,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_89-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c7c5c8c3c1m1r1a1","sN":1,"aN":"c7c5c8c3c1m1r1a1"}'>Information Protection</span>
    <button id="uhf-navbtn-shellmenu_89-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c7c5c8c3c1m1r1a1","sN":2,"aN":"c7c5c8c3c1m1r1a1"}'>Information Protection</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_89-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_Purview_cont","cT":"Container","id":"c3c7c5c8c3c1m1r1a1","sN":3,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_90" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/microsoft-purview" data-m='{"cN":"CatNav_Products_Purview_nav","id":"n1c3c7c5c8c3c1m1r1a1","sN":1,"aN":"c3c7c5c8c3c1m1r1a1"}'>Microsoft Purview Overview</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewInformationProtection_cont","cT":"Container","id":"c4c7c5c8c3c1m1r1a1","sN":4,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_91" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview-information-protection" data-m='{"cN":"CatNav_Products_PurviewInformationProtection_nav","id":"n1c4c7c5c8c3c1m1r1a1","sN":1,"aN":"c4c7c5c8c3c1m1r1a1"}'>Microsoft Purview Information Protection</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewDataLifecycleManagement_cont","cT":"Container","id":"c5c7c5c8c3c1m1r1a1","sN":5,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_92" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview-data-lifecycle-management" data-m='{"cN":"CatNav_Products_PurviewDataLifecycleManagement_nav","id":"n1c5c7c5c8c3c1m1r1a1","sN":1,"aN":"c5c7c5c8c3c1m1r1a1"}'>Microsoft Purview Data Lifecycle Management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_PurviewDataLossPrevention_cont","cT":"Container","id":"c6c7c5c8c3c1m1r1a1","sN":6,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_93" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview-data-loss-prevention" data-m='{"cN":"CatNav_Products_PurviewDataLossPrevention_nav","id":"n1c6c7c5c8c3c1m1r1a1","sN":1,"aN":"c6c7c5c8c3c1m1r1a1"}'>Microsoft Purview Data Loss Prevention</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c8c5c8c3c1m1r1a1","sN":8,"aN":"c5c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_94-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c8c5c8c3c1m1r1a1","sN":1,"aN":"c8c5c8c3c1m1r1a1"}'>Device Management</span>
    <button id="uhf-navbtn-shellmenu_94-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c8c5c8c3c1m1r1a1","sN":2,"aN":"c8c5c8c3c1m1r1a1"}'>Device Management</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_94-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_EndpointManager_cont","cT":"Container","id":"c3c8c5c8c3c1m1r1a1","sN":3,"aN":"c8c5c8c3c1m1r1a1"}'>
            <a id="shellmenu_95" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/microsoft-endpoint-manager" data-m='{"cN":"CatNav_Products_EndpointManager_nav","id":"n1c3c8c5c8c3c1m1r1a1","sN":1,"aN":"c3c8c5c8c3c1m1r1a1"}'>Microsoft Endpoint Manager</a>
            
        </li>
    </ul>
    
</li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="single-link js-nav-menu uhf-menu-item">
                            <a id="c-shellmenu_96" class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/services" data-m='{"cN":"CatNav_Services_Overview_nav","id":"n6c8c3c1m1r1a1","sN":6,"aN":"c8c3c1m1r1a1"}'>Services</a>
                        </li>
                        <li class="single-link js-nav-menu uhf-menu-item">
                            <a id="c-shellmenu_97" class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/partnerships" data-m='{"id":"n7c8c3c1m1r1a1","sN":7,"aN":"c8c3c1m1r1a1"}'>Partners</a>
                        </li>
                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_98"  aria-expanded="false" data-m='{"id":"nn8c8c3c1m1r1a1","sN":8,"aN":"c8c3c1m1r1a1"}'>Resources </button>

                                <ul class="f-multi-column f-multi-column-5" data-class-idn="f-multi-column f-multi-column-5" aria-hidden="true" data-m='{"cT":"Container","id":"c9c8c3c1m1r1a1","sN":9,"aN":"c8c3c1m1r1a1"}'>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c1c9c8c3c1m1r1a1","sN":1,"aN":"c9c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_99-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c1c9c8c3c1m1r1a1","sN":1,"aN":"c1c9c8c3c1m1r1a1"}'>Get started</span>
    <button id="uhf-navbtn-shellmenu_99-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c1c9c8c3c1m1r1a1","sN":2,"aN":"c1c9c8c3c1m1r1a1"}'>Get started</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_99-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_CustomerStories_cont","cT":"Container","id":"c3c1c9c8c3c1m1r1a1","sN":3,"aN":"c1c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_100" class="js-subm-uhf-nav-link" href="https://customers.microsoft.com/en-us/search?sq=Microsoft%20Security&amp;ff=&amp;p=0&amp;so=story_publish_date%20desc" data-m='{"cN":"CatNav_Resources_CustomerStories_nav","id":"n1c3c1c9c8c3c1m1r1a1","sN":1,"aN":"c3c1c9c8c3c1m1r1a1"}'>Customer stories</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_Security101_cont","cT":"Container","id":"c4c1c9c8c3c1m1r1a1","sN":4,"aN":"c1c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_101" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/business/security-101/" data-m='{"cN":"CatNav_Resources_Security101_nav","id":"n1c4c1c9c8c3c1m1r1a1","sN":1,"aN":"c4c1c9c8c3c1m1r1a1"}'>Security 101</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_GetStartedTrials_cont","cT":"Container","id":"c5c1c9c8c3c1m1r1a1","sN":5,"aN":"c1c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_102" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/get-started/start-free-trial" data-m='{"cN":"CatNav_Resources_GetStartedTrials_nav","id":"n1c5c1c9c8c3c1m1r1a1","sN":1,"aN":"c5c1c9c8c3c1m1r1a1"}'>Product trials</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_HowWeProtectMicrosoft_cont","cT":"Container","id":"c6c1c9c8c3c1m1r1a1","sN":6,"aN":"c1c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_103" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/insidetrack" data-m='{"cN":"CatNav_Resources_HowWeProtectMicrosoft_nav","id":"n1c6c1c9c8c3c1m1r1a1","sN":1,"aN":"c6c1c9c8c3c1m1r1a1"}'>How we protect Microsoft</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c2c9c8c3c1m1r1a1","sN":2,"aN":"c9c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_104-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c2c9c8c3c1m1r1a1","sN":1,"aN":"c2c9c8c3c1m1r1a1"}'>Reports and analysis</span>
    <button id="uhf-navbtn-shellmenu_104-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c2c9c8c3c1m1r1a1","sN":2,"aN":"c2c9c8c3c1m1r1a1"}'>Reports and analysis</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_104-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityInsider_cont","cT":"Container","id":"c3c2c9c8c3c1m1r1a1","sN":3,"aN":"c2c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_105" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/security-insider" data-m='{"cN":"CatNav_Resources_SecurityInsider_nav","id":"n1c3c2c9c8c3c1m1r1a1","sN":1,"aN":"c3c2c9c8c3c1m1r1a1"}'>Microsoft Security Insider</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_MDDR_cont","cT":"Container","id":"c4c2c9c8c3c1m1r1a1","sN":4,"aN":"c2c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_106" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report" data-m='{"cN":"CatNav_Resources_MDDR_nav","id":"n1c4c2c9c8c3c1m1r1a1","sN":1,"aN":"c4c2c9c8c3c1m1r1a1"}'>Microsoft Digital Defense Report</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityResposeCenter_cont","cT":"Container","id":"c5c2c9c8c3c1m1r1a1","sN":5,"aN":"c2c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_107" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/msrc/" data-m='{"cN":"CatNav_Resources_SecurityResposeCenter_nav","id":"n1c5c2c9c8c3c1m1r1a1","sN":1,"aN":"c5c2c9c8c3c1m1r1a1"}'>Security Response Center</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c3c9c8c3c1m1r1a1","sN":3,"aN":"c9c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_108-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c3c9c8c3c1m1r1a1","sN":1,"aN":"c3c9c8c3c1m1r1a1"}'>Community</span>
    <button id="uhf-navbtn-shellmenu_108-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c3c9c8c3c1m1r1a1","sN":2,"aN":"c3c9c8c3c1m1r1a1"}'>Community</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_108-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityBlog_cont","cT":"Container","id":"c3c3c9c8c3c1m1r1a1","sN":3,"aN":"c3c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_109" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/blog/" data-m='{"cN":"CatNav_Resources_SecurityBlog_nav","id":"n1c3c3c9c8c3c1m1r1a1","sN":1,"aN":"c3c3c9c8c3c1m1r1a1"}'>Microsoft Security Blog</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityEvents_cont","cT":"Container","id":"c4c3c9c8c3c1m1r1a1","sN":4,"aN":"c3c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_110" class="js-subm-uhf-nav-link" href="https://events.microsoft.com/en-us/allevents/?language=English&amp;clientTimeZone=1&amp;search=security" data-m='{"cN":"CatNav_Resources_SecurityEvents_nav","id":"n1c4c3c9c8c3c1m1r1a1","sN":1,"aN":"c4c3c9c8c3c1m1r1a1"}'>Microsoft Security Events</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityTechCommunity_cont","cT":"Container","id":"c5c3c9c8c3c1m1r1a1","sN":5,"aN":"c3c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_111" class="js-subm-uhf-nav-link" href="https://techcommunity.microsoft.com/t5/security-compliance-and-identity/ct-p/MicrosoftSecurityandCompliance" data-m='{"cN":"CatNav_Resources_SecurityTechCommunity_nav","id":"n1c5c3c9c8c3c1m1r1a1","sN":1,"aN":"c5c3c9c8c3c1m1r1a1"}'>Microsoft Tech Community</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c4c9c8c3c1m1r1a1","sN":4,"aN":"c9c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_112-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c4c9c8c3c1m1r1a1","sN":1,"aN":"c4c9c8c3c1m1r1a1"}'>Documentation and training</span>
    <button id="uhf-navbtn-shellmenu_112-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c4c9c8c3c1m1r1a1","sN":2,"aN":"c4c9c8c3c1m1r1a1"}'>Documentation and training</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_112-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityDocs_cont","cT":"Container","id":"c3c4c9c8c3c1m1r1a1","sN":3,"aN":"c4c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_113" class="js-subm-uhf-nav-link" href="https://docs.microsoft.com/en-us/security/" data-m='{"cN":"CatNav_Resources_SecurityDocs_nav","id":"n1c3c4c9c8c3c1m1r1a1","sN":1,"aN":"c3c4c9c8c3c1m1r1a1"}'>Documentation</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_TechnicalContentLibrary_cont","cT":"Container","id":"c4c4c9c8c3c1m1r1a1","sN":4,"aN":"c4c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_114" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/content-library/" data-m='{"cN":"CatNav_Resources_TechnicalContentLibrary_nav","id":"n1c4c4c9c8c3c1m1r1a1","sN":1,"aN":"c4c4c9c8c3c1m1r1a1"}'>Technical Content Library</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_TrainingandCertifications_cont","cT":"Container","id":"c5c4c9c8c3c1m1r1a1","sN":5,"aN":"c4c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_115" class="js-subm-uhf-nav-link" href="https://docs.microsoft.com/en-us/learn/topics/sci?wt.mc_id=techcom_header-webpage-m365" data-m='{"cN":"CatNav_Resources_TrainingandCertifications_nav","id":"n1c5c4c9c8c3c1m1r1a1","sN":1,"aN":"c5c4c9c8c3c1m1r1a1"}'>Training &amp; certifications</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c5c9c8c3c1m1r1a1","sN":5,"aN":"c9c8c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_116-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c5c9c8c3c1m1r1a1","sN":1,"aN":"c5c9c8c3c1m1r1a1"}'>Additional sites</span>
    <button id="uhf-navbtn-shellmenu_116-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c5c9c8c3c1m1r1a1","sN":2,"aN":"c5c9c8c3c1m1r1a1"}'>Additional sites</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_116-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_ComplianceProgram_cont","cT":"Container","id":"c3c5c9c8c3c1m1r1a1","sN":3,"aN":"c5c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_117" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/services/compliance-program-microsoft-cloud" data-m='{"cN":"CatNav_Resources_ComplianceProgram_nav","id":"n1c3c5c9c8c3c1m1r1a1","sN":1,"aN":"c3c5c9c8c3c1m1r1a1"}'>Compliance Program for Microsoft Cloud</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_TrustCenter_cont","cT":"Container","id":"c4c5c9c8c3c1m1r1a1","sN":4,"aN":"c5c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_118" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/trust-center" data-m='{"cN":"CatNav_Resources_TrustCenter_nav","id":"n1c4c5c9c8c3c1m1r1a1","sN":1,"aN":"c4c5c9c8c3c1m1r1a1"}'>Microsoft Trust Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_SecurityEngineeringPortal_cont","cT":"Container","id":"c5c5c9c8c3c1m1r1a1","sN":5,"aN":"c5c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_119" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/securityengineering" data-m='{"cN":"CatNav_Resources_SecurityEngineeringPortal_nav","id":"n1c5c5c9c8c3c1m1r1a1","sN":1,"aN":"c5c5c9c8c3c1m1r1a1"}'>Security Engineering Portal</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Resources_ServiceTrustPortal_cont","cT":"Container","id":"c6c5c9c8c3c1m1r1a1","sN":6,"aN":"c5c9c8c3c1m1r1a1"}'>
            <a id="shellmenu_120" class="js-subm-uhf-nav-link" href="https://servicetrust.microsoft.com/" data-m='{"cN":"CatNav_Resources_ServiceTrustPortal_nav","id":"n1c6c5c9c8c3c1m1r1a1","sN":1,"aN":"c6c5c9c8c3c1m1r1a1"}'>Service Trust Portal</a>
            
        </li>
    </ul>
    
</li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="single-link js-nav-menu uhf-menu-item">
                            <a id="c-shellmenu_121" class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/get-started/contact-us" data-m='{"cN":"CatNav_Resources_ContactSales_nav","id":"n10c8c3c1m1r1a1","sN":10,"aN":"c8c3c1m1r1a1"}'>Contact sales</a>
                        </li>


                <li id="overflow-menu" class="overflow-menu x-hidden uhf-menu-item">
                        <div class="c-uhf-menu js-nav-menu">
        <button data-m='{"pid":"More","id":"nn11c8c3c1m1r1a1","sN":11,"aN":"c8c3c1m1r1a1"}' type="button" aria-label="More" aria-expanded="false">More</button>
        <ul id="overflow-menu-list" aria-hidden="true" class="overflow-menu-list">
        </ul>
    </div>

                </li>
                                    <li class="single-link js-nav-menu" id="c-uhf-nav-cta">
                        <a  class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/get-started/start-free-trial" data-m='{"cN":"CatNav_cta_Start free trial_nav","id":"n12c8c3c1m1r1a1","sN":12,"aN":"c8c3c1m1r1a1"}'>Start free trial</a>
                    </li>
            </ul>
            
        </nav>


            <div class="c-uhfh-actions" data-m='{"cN":"Header actions_cont","cT":"Container","id":"c9c3c1m1r1a1","sN":9,"aN":"c3c1m1r1a1"}'>
                <div class="wf-menu">        <nav id="uhf-c-nav" aria-label="All Microsoft menu" data-m='{"cN":"GlobalNav_cont","cT":"Container","id":"c1c9c3c1m1r1a1","sN":1,"aN":"c9c3c1m1r1a1"}'>
            <ul class="js-paddle-items">
                <li>
                    <div class="c-uhf-menu js-nav-menu">
                        <button type="button" class="c-button-logo all-ms-nav" aria-label="All Microsoft expand to see list of Microsoft products and services" aria-expanded="false" data-m='{"cN":"GlobalNav_More_nonnav","id":"nn1c1c9c3c1m1r1a1","sN":1,"aN":"c1c9c3c1m1r1a1"}'> <span>All Microsoft</span></button>
                        <ul class="f-multi-column f-multi-column-4" aria-hidden="true" data-m='{"cN":"More_cont","cT":"Container","id":"c2c1c9c3c1m1r1a1","sN":2,"aN":"c1c9c3c1m1r1a1"}'>
                                    <li class="c-w0-contr">
            <ul class="c-w0">
        <li class="js-nav-menu single-link" data-m='{"cN":"Microsoft Security_cont","cT":"Container","id":"c1c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_0" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security" data-m='{"cN":"W0Nav_Microsoft Security_nav","id":"n1c1c2c1c9c3c1m1r1a1","sN":1,"aN":"c1c2c1c9c3c1m1r1a1"}'>Microsoft Security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Azure_cont","cT":"Container","id":"c2c2c1c9c3c1m1r1a1","sN":2,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_1" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/" data-m='{"cN":"W0Nav_Azure_nav","id":"n1c2c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c2c1c9c3c1m1r1a1"}'>Azure</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Dynamics 365_cont","cT":"Container","id":"c3c2c1c9c3c1m1r1a1","sN":3,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_2" class="js-subm-uhf-nav-link" href="https://dynamics.microsoft.com/en-us/" data-m='{"cN":"W0Nav_Dynamics 365_nav","id":"n1c3c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c2c1c9c3c1m1r1a1"}'>Dynamics 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Microsoft 365_cont","cT":"Container","id":"c4c2c1c9c3c1m1r1a1","sN":4,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_3" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/business/" data-m='{"cN":"W0Nav_Microsoft 365_nav","id":"n1c4c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c2c1c9c3c1m1r1a1"}'>Microsoft 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Microsoft Teams_cont","cT":"Container","id":"c5c2c1c9c3c1m1r1a1","sN":5,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_4" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-teams/group-chat-software" data-m='{"cN":"W0Nav_Microsoft Teams_nav","id":"n1c5c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c2c1c9c3c1m1r1a1"}'>Microsoft Teams</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Windows 365_cont","cT":"Container","id":"c6c2c1c9c3c1m1r1a1","sN":6,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_5" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/windows-365" data-m='{"cN":"W0Nav_Windows 365_nav","id":"n1c6c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c2c1c9c3c1m1r1a1"}'>Windows 365</a>
            
        </li>
            </ul>
        </li>

<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c7c2c1c9c3c1m1r1a1","sN":7,"aN":"c2c1c9c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_7-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c2c1c9c3c1m1r1a1"}'>Tech &amp; innovation</span>
    <button id="uhf-navbtn-shellmenu_7-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c7c2c1c9c3c1m1r1a1","sN":2,"aN":"c7c2c1c9c3c1m1r1a1"}'>Tech &amp; innovation</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_7-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_MicrosoftCloud_cont","cT":"Container","id":"c3c7c2c1c9c3c1m1r1a1","sN":3,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_8" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-cloud" data-m='{"cN":"GlobalNav_More_TechInnovation_MicrosoftCloud_nav","id":"n1c3c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c7c2c1c9c3c1m1r1a1"}'>Microsoft Cloud</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation__AI_cont","cT":"Container","id":"c4c7c2c1c9c3c1m1r1a1","sN":4,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_9" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/ai" data-m='{"cN":"GlobalNav_More_TechInnovation__AI_nav","id":"n1c4c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c7c2c1c9c3c1m1r1a1"}'>AI</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_AzureSpace_cont","cT":"Container","id":"c5c7c2c1c9c3c1m1r1a1","sN":5,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_10" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/solutions/space/" data-m='{"cN":"GlobalNav_More_TechInnovation_AzureSpace_nav","id":"n1c5c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c7c2c1c9c3c1m1r1a1"}'>Azure Space</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_MixedReality_cont","cT":"Container","id":"c6c7c2c1c9c3c1m1r1a1","sN":6,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_11" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/mixed-reality/windows-mixed-reality" data-m='{"cN":"GlobalNav_More_TechInnovation_MixedReality_nav","id":"n1c6c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c7c2c1c9c3c1m1r1a1"}'>Mixed reality</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_MicrosoftHololens_cont","cT":"Container","id":"c7c7c2c1c9c3c1m1r1a1","sN":7,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_12" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/hololens" data-m='{"cN":"GlobalNav_More_TechInnovation_MicrosoftHololens_nav","id":"n1c7c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c7c2c1c9c3c1m1r1a1"}'>Microsoft HoloLens</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_Microsoft Viva_cont","cT":"Container","id":"c8c7c2c1c9c3c1m1r1a1","sN":8,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_13" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-viva" data-m='{"cN":"GlobalNav_More_TechInnovation_Microsoft Viva_nav","id":"n1c8c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c7c2c1c9c3c1m1r1a1"}'>Microsoft Viva</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_QuantumComputing_cont","cT":"Container","id":"c9c7c2c1c9c3c1m1r1a1","sN":9,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_14" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/solutions/quantum-computing/" data-m='{"cN":"GlobalNav_More_TechInnovation_QuantumComputing_nav","id":"n1c9c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c7c2c1c9c3c1m1r1a1"}'>Quantum computing</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_TechInnovation_Sustainability_cont","cT":"Container","id":"c10c7c2c1c9c3c1m1r1a1","sN":10,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_15" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/sustainability/" data-m='{"cN":"GlobalNav_More_TechInnovation_Sustainability_nav","id":"n1c10c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c10c7c2c1c9c3c1m1r1a1"}'>Sustainability</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c8c2c1c9c3c1m1r1a1","sN":8,"aN":"c2c1c9c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_16-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c2c1c9c3c1m1r1a1"}'>Industries</span>
    <button id="uhf-navbtn-shellmenu_16-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c8c2c1c9c3c1m1r1a1","sN":2,"aN":"c8c2c1c9c3c1m1r1a1"}'>Industries</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_16-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"Industries_Education_cont","cT":"Container","id":"c3c8c2c1c9c3c1m1r1a1","sN":3,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_17" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/education" data-m='{"cN":"GlobalNav_Industries_Education_nav","id":"n1c3c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c8c2c1c9c3c1m1r1a1"}'>Education</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Automotive_cont","cT":"Container","id":"c4c8c2c1c9c3c1m1r1a1","sN":4,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_18" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/automotive" data-m='{"cN":"GlobalNav_More_Industries_Automotive_nav","id":"n1c4c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c8c2c1c9c3c1m1r1a1"}'>Automotive</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Financialservices_cont","cT":"Container","id":"c5c8c2c1c9c3c1m1r1a1","sN":5,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_19" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/financial-services/banking" data-m='{"cN":"GlobalNav_More_Industries_Financialservices_nav","id":"n1c5c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c8c2c1c9c3c1m1r1a1"}'>Financial services</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Government_cont","cT":"Container","id":"c6c8c2c1c9c3c1m1r1a1","sN":6,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_20" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/government" data-m='{"cN":"GlobalNav_More_Industries_Government_nav","id":"n1c6c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c8c2c1c9c3c1m1r1a1"}'>Government</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Health_cont","cT":"Container","id":"c7c8c2c1c9c3c1m1r1a1","sN":7,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_21" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/health" data-m='{"cN":"GlobalNav_More_Industries_Health_nav","id":"n1c7c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c8c2c1c9c3c1m1r1a1"}'>Healthcare</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Manufacturing_cont","cT":"Container","id":"c8c8c2c1c9c3c1m1r1a1","sN":8,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_22" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/manufacturing" data-m='{"cN":"GlobalNav_More_Industries_Manufacturing_nav","id":"n1c8c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c8c2c1c9c3c1m1r1a1"}'>Manufacturing</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Retail_cont","cT":"Container","id":"c9c8c2c1c9c3c1m1r1a1","sN":9,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_23" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry/retail-consumer-goods" data-m='{"cN":"GlobalNav_More_Industries_Retail_nav","id":"n1c9c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c8c2c1c9c3c1m1r1a1"}'>Retail</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Allindustries_cont","cT":"Container","id":"c10c8c2c1c9c3c1m1r1a1","sN":10,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_24" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/industry" data-m='{"cN":"GlobalNav_More_Industries_Allindustries_nav","id":"n1c10c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c10c8c2c1c9c3c1m1r1a1"}'>All industries</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c9c2c1c9c3c1m1r1a1","sN":9,"aN":"c2c1c9c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_25-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c2c1c9c3c1m1r1a1"}'>Partners</span>
    <button id="uhf-navbtn-shellmenu_25-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c9c2c1c9c3c1m1r1a1","sN":2,"aN":"c9c2c1c9c3c1m1r1a1"}'>Partners</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_25-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_FindPartner_cont","cT":"Container","id":"c3c9c2c1c9c3c1m1r1a1","sN":3,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_26" class="js-subm-uhf-nav-link" href="https://partner.microsoft.com/en-US/" data-m='{"cN":"GlobalNav_More_Partner_FindPartner_nav","id":"n1c3c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c9c2c1c9c3c1m1r1a1"}'>Find a partner</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_BecomePartner_cont","cT":"Container","id":"c4c9c2c1c9c3c1m1r1a1","sN":4,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_27" class="js-subm-uhf-nav-link" href="https://partner.microsoft.com/en-US/membership/cloud-solution-provider" data-m='{"cN":"GlobalNav_More_Partner_BecomePartner_nav","id":"n1c4c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c9c2c1c9c3c1m1r1a1"}'>Become a partner</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_PartnerNetwork_cont","cT":"Container","id":"c5c9c2c1c9c3c1m1r1a1","sN":5,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_28" class="js-subm-uhf-nav-link" href="https://partner.microsoft.com/en-us/membership" data-m='{"cN":"GlobalNav_More_Partner_PartnerNetwork_nav","id":"n1c5c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c9c2c1c9c3c1m1r1a1"}'>Partner Network</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_FindAdvertisingPartner_cont","cT":"Container","id":"c6c9c2c1c9c3c1m1r1a1","sN":6,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_29" class="js-subm-uhf-nav-link" href="https://about.ads.microsoft.com/en-us/resources/microsoft-advertising-partner-program/microsoft-advertising-partner-program" data-m='{"cN":"GlobalNav_More_Partner_FindAdvertisingPartner_nav","id":"n1c6c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c9c2c1c9c3c1m1r1a1"}'>Find an advertising partner</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_BecomeAdvertisingPartner_cont","cT":"Container","id":"c7c9c2c1c9c3c1m1r1a1","sN":7,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_30" class="js-subm-uhf-nav-link" href="https://about.ads.microsoft.com/en-us/partners/welcome?s_cid=en-us-gct-web-src_ext-sub_0-flx_uhfcombepartner" data-m='{"cN":"GlobalNav_More_Partner_BecomeAdvertisingPartner_nav","id":"n1c7c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c9c2c1c9c3c1m1r1a1"}'>Become an advertising partner</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_AzureMarketplace_cont","cT":"Container","id":"c8c9c2c1c9c3c1m1r1a1","sN":8,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_31" class="js-subm-uhf-nav-link" href="https://azuremarketplace.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_Partner_AzureMarketplace_nav","id":"n1c8c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c9c2c1c9c3c1m1r1a1"}'>Azure Marketplace</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_AppSource_cont","cT":"Container","id":"c9c9c2c1c9c3c1m1r1a1","sN":9,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_32" class="js-subm-uhf-nav-link" href="https://appsource.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_Partner_AppSource_nav","id":"n1c9c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c9c2c1c9c3c1m1r1a1"}'>AppSource</a>
            
        </li>
    </ul>
    
</li>
<li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c10c2c1c9c3c1m1r1a1","sN":10,"aN":"c2c1c9c3c1m1r1a1"}'>

    <span id="uhf-navspn-shellmenu_33-span" style="display:none"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c10c2c1c9c3c1m1r1a1"}'>Resources</span>
    <button id="uhf-navbtn-shellmenu_33-button" type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn2c10c2c1c9c3c1m1r1a1","sN":2,"aN":"c10c2c1c9c3c1m1r1a1"}'>Resources</button>
    <ul aria-hidden="true" aria-labelledby="uhf-navspn-shellmenu_33-span">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_Blog_cont","cT":"Container","id":"c3c10c2c1c9c3c1m1r1a1","sN":3,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_34" class="js-subm-uhf-nav-link" href="https://blogs.microsoft.com/" data-m='{"cN":"GlobalNav_More_Resources_Blog_nav","id":"n1c3c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c10c2c1c9c3c1m1r1a1"}'>Blog</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_MicrosoftAdvertising_cont","cT":"Container","id":"c4c10c2c1c9c3c1m1r1a1","sN":4,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_35" class="js-subm-uhf-nav-link" href="https://about.ads.microsoft.com/en-us?s_cid=dig-src_uhfcomm" data-m='{"cN":"GlobalNav_More_Resources_MicrosoftAdvertising_nav","id":"n1c4c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c10c2c1c9c3c1m1r1a1"}'>Microsoft Advertising</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_DeveloperCenter_cont","cT":"Container","id":"c5c10c2c1c9c3c1m1r1a1","sN":5,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_36" class="js-subm-uhf-nav-link" href="https://developer.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_Resources_DeveloperCenter_nav","id":"n1c5c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c10c2c1c9c3c1m1r1a1"}'>Developer Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_Documentation_cont","cT":"Container","id":"c6c10c2c1c9c3c1m1r1a1","sN":6,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_37" class="js-subm-uhf-nav-link" href="https://docs.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_Resources_Documentation_nav","id":"n1c6c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c10c2c1c9c3c1m1r1a1"}'>Documentation</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_Events_cont","cT":"Container","id":"c7c10c2c1c9c3c1m1r1a1","sN":7,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_38" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/events" data-m='{"cN":"GlobalNav_More_Resources_Events_nav","id":"n1c7c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c10c2c1c9c3c1m1r1a1"}'>Events</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_Licensing_cont","cT":"Container","id":"c8c10c2c1c9c3c1m1r1a1","sN":8,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_39" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/licensing/" data-m='{"cN":"GlobalNav_More_Resources_Licensing_nav","id":"n1c8c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c10c2c1c9c3c1m1r1a1"}'>Licensing</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_MicrosoftLearn_cont","cT":"Container","id":"c9c10c2c1c9c3c1m1r1a1","sN":9,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_40" class="js-subm-uhf-nav-link" href="https://docs.microsoft.com/en-us/learn/" data-m='{"cN":"GlobalNav_More_Resources_MicrosoftLearn_nav","id":"n1c9c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c10c2c1c9c3c1m1r1a1"}'>Microsoft Learn</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Resources_MicrosoftResearch_cont","cT":"Container","id":"c10c10c2c1c9c3c1m1r1a1","sN":10,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_41" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/research/" data-m='{"cN":"GlobalNav_More_Resources_MicrosoftResearch_nav","id":"n1c10c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c10c10c2c1c9c3c1m1r1a1"}'>Microsoft Research</a>
            
        </li>
    </ul>
    
</li>
                                                            <li class="f-multi-column-info">
                                    <a data-m='{"id":"n11c2c1c9c3c1m1r1a1","sN":11,"aN":"c2c1c9c3c1m1r1a1"}' href="https://www.microsoft.com/en-us/sitemap.aspx" aria-label="" class="c-glyph">View Sitemap</a>
                                </li>
                            
                        </ul>
                    </div>
                </li>
            </ul>
        </nav>
</div>
                            <form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seAutoSuggest='' data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest" data-m='{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}' aria-expanded="false">
                                <input  id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search" name="q" role="combobox" placeholder="Search Microsoft Security" data-m='{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}' data-toggle="tooltip" data-placement="right" title="Search Microsoft Security" />
                                    <button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m='{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}' data-bi-mto="true" aria-expanded="false">
                                        <span role="presentation">Search</span>
                                        <span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip">Search Microsoft Security</span>
                                    </button>
                                <div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group">
                                    <ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll" data-m='{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}'></ul>
                                </div>
                                
                            </form>
                        <button data-m='{"cN":"cancel-search","pid":"Cancel Search","id":"nn4c1c9c3c1m1r1a1","sN":4,"aN":"c1c9c3c1m1r1a1"}' id="cancel-search" class="cancel-search" aria-label="Cancel Search">
                            <span>Cancel</span>
                        </button>
                        <div id="meControl" class="c-me"  data-signinsettings='{"containerId":"meControl","enabled":true,"headerHeight":48,"debug":false,"extensibleLinks":[],"userData":{"idp":"msa","firstName":"","lastName":"","memberName":"","cid":"","authenticatedState":"3"},"rpData":{"preferredIdp":"msa","msaInfo":{"signInUrl":"/en-us/store/signin","signOutUrl":"/en-us/store/signout","meUrl":"https://login.live.com/me.srf?wa=wsignin1.0"},"aadInfo":{"signOutUrl":"/en-us/store/signout","appId":"","siteUrl":"","blockMsaFed":true}}}' data-m='{"cN":"GlobalNav_Account_cont","cT":"Container","id":"c5c1c9c3c1m1r1a1","sN":5,"aN":"c1c9c3c1m1r1a1"}'>
                            <div class="msame_Header">
                                <div class="msame_Header_name st_msame_placeholder">Sign in</div>
                            </div>
                            
                        </div>
                
            </div>
        </div>
        
        
    </div>
    
</header>




    </div>
        </div>

    </div>		<!-- end universal footer -->

		<section data-grid="col-12" class="m-highlight-feature f-lean single-post-hero no-image">
		<div>
			
	<span class="entry-date published">	
		<time datetime="2022-05-19T09:00:00-07:00">
			May 19, 2022		</time>
		&bullet; 22 min read	</span>

			<h1 class="c-heading">
				Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices			</h1>

			<div class="author-information">
				<div class="author-details">
					<ul class="authors">
							<li class="author-item">
		<span class="author-name">Microsoft 365 Defender Research Team</span>
			</li>
						</ul>
				</div>
			</div>
		</div>
	</section>
	
	<main id="mainContent" class="primary" data-grid="container">
		<div class="wrap-content">
			
<article class="post-114366 post type-post status-publish format-standard has-post-thumbnail hentry category-cybersecurity tag-linux tag-malware tag-microsoft tag-microsoft-security-intelligence tag-security">


	<!-- Your share button code -->
<div id="social-share" class="social-share" data-bi-area="social-share">
	<button
		class="socal-share__button"
		type="button"
		id="social-share-button"
		aria-label="Open share menu for this post."
		data-bi-cn="Open share menu for this post."
	>
		Share	</button>
	<ul id="social-share-dropdown-menu" class="social-share__dropdown-menu">
		<li>
			<!--  Twitter -->
			<a
				href="https://twitter.com/intent/tweet/?text=Rise%20in%20XorDdos%3A%20A%20deeper%20look%20at%20the%20stealthy%20DDoS%20malware%20targeting%20Linux%20devices&#038;url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on Twitter"
				data-bi-cn="Share on Twitter"
			>
				Twitter			</a>
		</li>
		<li>
			<!-- LinkedIn -->
			<a
				href="https://www.linkedin.com/shareArticle?mini=true&#038;url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F&#038;title=Rise%20in%20XorDdos%3A%20A%20deeper%20look%20at%20the%20stealthy%20DDoS%20malware%20targeting%20Linux%20devices&#038;source=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on LinkedIn"
				data-bi-cn="Share on LinkedIn"
			>
				LinkedIn			</a>
		</li>
		<li>
			<!-- Facebook -->
			<a
				href="https://facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on Facebook"
				data-bi-cn="Share on Facebook"
			>
				Facebook			</a>
		</li>
		<li>
			<!-- E-Mail -->
			<a
				href="mailto:?subject=Rise%20in%20XorDdos%3A%20A%20deeper%20look%20at%20the%20stealthy%20DDoS%20malware%20targeting%20Linux%20devices&#038;body=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2022%2F05%2F19%2Frise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices%2F"
				target="_self"
				rel="noopener noreferrer"
				aria-label="Share via Email"
				data-bi-cn="Share via Email"
			>
				Email			</a>
		</li>
		<li>
			<a
				href="javascript:;" onclick="window.print()"
				data-bi-cn="Print"
			>
				Print			</a>
		</li>
	</ul>
</div>
<script>
	( function(){

		const socialShareButton = document.getElementById('social-share-button');
		const socialShareDropdown = document.getElementById('social-share-dropdown-menu');

		socialShareButton.setAttribute('aria-expanded', false );
		socialShareButton.setAttribute('aria-haspopup', true );
		socialShareButton.setAttribute('aria-controls', 'social-share-dropdown-menu');
		socialShareDropdown.setAttribute('aria-hidden', true);

		socialShareDropdown.addEventListener('click', function(event) { event.stopPropagation(); });
		socialShareButton.addEventListener('click', function(event){
			const isOpen = ('true' === socialShareButton.getAttribute('aria-expanded'));
		   
			event.stopPropagation();

			socialShareDropdown.setAttribute('aria-hidden', isOpen);
			socialShareButton.setAttribute('aria-expanded', !isOpen);
		});
		document.addEventListener('click', function(){
			socialShareDropdown.setAttribute('aria-hidden', true);
			socialShareButton.setAttribute('aria-expanded', false);
		});
		socialShareDropdown.addEventListener('keydown', function(event){
			const shiftKey = event.shiftKey;
			const keyCode = event.keyCode;
			const links = [].slice.call( socialShareDropdown.querySelectorAll( 'a' ) );
			
			if ( 9 !== keyCode ) {
				return;
			}
			
			if ( event.target === links[0] && shiftKey || event.target === links[links.length - 1] && ! shiftKey ) {
				socialShareDropdown.setAttribute('aria-hidden', true);
				socialShareButton.setAttribute('aria-expanded', false);
			}
		});
	} )();
</script>

	
	<div class="entry-content">
		
<p>In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.</p>



<p>XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service (DDoS) attacks. Using a botnet to perform DDoS attacks can potentially create significant disruptions, such as the <a href="https://azure.microsoft.com/blog/business-as-usual-for-azure-customers-despite-24-tbps-ddos-attack/?ranMID=24542&amp;ranEAID=TnL5HPStwNw&amp;ranSiteID=TnL5HPStwNw-QrFhTcj5NHbS49DwTEAxiA&amp;epi=TnL5HPStwNw-QrFhTcj5NHbS49DwTEAxiA&amp;irgwc=1&amp;OCID=AID2200057_aff_7593_1243925&amp;tduid=%28ir__f1adpj9cvckf62kijydwmqedqu2xtltt90ejoqbv00%29%287593%29%281243925%29%28TnL5HPStwNw-QrFhTcj5NHbS49DwTEAxiA%29%28%29&amp;irclickid=_f1adpj9cvckf62kijydwmqedqu2xtltt90ejoqbv00">2.4 Tbps DDoS attack Microsoft mitigated</a> in August 2021. DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems.</p>



<p>Botnets can also be used to compromise other devices, and XorDdos is known for using Secure Shell (SSH) brute force attacks to gain remote control on target devices. SSH is one of the most common protocols in IT infrastructures and enables encrypted communications over insecure networks for remote system administration purposes, making it an attractive vector for attackers. Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device.</p>



<p>XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy. Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions.&nbsp;</p>



<figure class="wp-block-image size-large"><img width="1024" height="747" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-1.-Typical-attack-vector-for-XorDdos-malware_ccexpress-1024x747.png" alt="Figure 1 displays a diagram depicting a typical attack flow for XorDdos malware. The attacker communicates with a bot to SSH brute force a target device and download XorDdos. The malware then performs several techniques for evasion and persistence before connecting with the attacker's C2 server to send data and receive commands." class="wp-image-114540" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-1.-Typical-attack-vector-for-XorDdos-malware_ccexpress-1024x747.png 1024w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-1.-Typical-attack-vector-for-XorDdos-malware_ccexpress-300x219.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-1.-Typical-attack-vector-for-XorDdos-malware_ccexpress-768x560.png 768w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-1.-Typical-attack-vector-for-XorDdos-malware_ccexpress.png 1207w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Figure 1. A typical attack vector for XorDdos malware</figcaption></figure>



<p>XorDdos may further illustrate another trend observed in various platforms, in which malware is used to deliver other dangerous threats. We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner. While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it’s possible that the trojan is leveraged as a vector for follow-on activities.</p>



<p><a href="https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1">Microsoft Defender for Endpoint</a> protects against XorDdos by detecting and remediating the trojan’s multi-stage, modular attacks throughout its entire attack chain and any potential follow-on activities on endpoints. In this blog post, we detail our in-depth analysis of XorDdos to help defenders understand its techniques and protect their networks from this stealthy malware.</p>



<p>This blog post covers the following topics:</p>



<ul><li><a href="#Initial_access">Initial access</a></li><li><a href="#XorDdos_payload">XorDdos payload analysis</a><ul><li><a href="#Detection_evasion">Detection evasion capabilities</a></li></ul><ul><li><a href="#Persistence_mechanisms">Persistence mechanisms</a></li></ul><ul><li><a href="#Argument-based_code-flow">Argument-based code-flow</a></li></ul><ul><li><a href="#Malicious_activity">Malicious activity threads</a></li></ul><ul><li><a href="#DDoS_attack">DDoS attack thread pool</a></li></ul></li><li><a href="#Defending_against">Defending against Linux platform threats</a></li><li><a href="#Detection_details">Detection details</a></li><li><a href="#Hunting_queries">Hunting queries</a></li><li><a href="#Indicators">Indicators</a></li></ul>



<h2 id="Initial_access">Initial access</h2>



<p>XorDdos propagates primarily via SSH brute force. It uses a malicious shell script to try various root credential combinations across thousands of servers until finding a match on a target Linux device. As a result, we see many failed sign-in attempts on devices successfully infected by the malware:</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="196" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-2.-Failed-sign-in-attempts-on-a-device-affected-by-XorDdos.png" alt="Figure 2's line chart depicts the increasing amount of failed sign-in attempts by a device infected by XorDdos. " class="wp-image-114375" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-2.-Failed-sign-in-attempts-on-a-device-affected-by-XorDdos.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-2.-Failed-sign-in-attempts-on-a-device-affected-by-XorDdos-300x74.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-2.-Failed-sign-in-attempts-on-a-device-affected-by-XorDdos-768x188.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 2. Failed sign-in attempts on a device affected by XorDdos</figcaption></figure>



<p>Our analysis determined two of XorDdos’ methods for initial access. The first method involves copying a malicious ELF file to temporary file storage <em>/dev/shm </em>and then running it. Files written at <em>/dev/shm</em> are deleted during system restart, thus concealing the source of infection during forensic analysis.</p>



<p>The second method involves running a bash script that performs the following activities via the command line:</p>



<ol type="1"><li>Iterates the following folders to find a writable directory:<ul><li>/<em>bin</em></li><li>/<em>home</em></li><li>/<em>root</em></li><li>/<em>tmp</em></li><li>/<em>usr</em></li><li>/<em>etc</em></li></ul></li><li>If a writable directory is found, changes the working directory to the discovered writable directory.</li><li>Uses the <em>curl</em> command to download the ELF file payload from the remote location <em>hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt</em> and saves the file as &nbsp;<em>ygljglkjgfg0.</em></li><li>Changes the file mode to “executable”.</li><li>Runs the ELF file payload.</li><li>Moves and renames the Wget binary to evade rule-based detections triggered by malicious usage of the Wget binary. In this case, it renames the Wget binary to <em>good</em> and moves the file to the following locations:<ul><li><em>mv /usr/bin/wget /usr/bin/good</em></li><li><em>mv /bin/wget /bin/good</em></li></ul></li><li>Attempts to download the ELF file payload for a second time, now only using the file <em>good</em> and not the Wget binary.</li><li>After running the ELF file, uses an anti-forensic technique that hides its past activity by overwriting the content of the following sensitive files with a newline character:</li></ol>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Sensitive File</strong><strong></strong></td><td><strong>Description</strong><strong></strong></td></tr><tr><td>/root/.bash_history</td><td>Contains the commands that were run earlier</td></tr><tr><td>/var/log/wtmp</td><td>Contains login related record for users</td></tr><tr><td>/var/log/btmp</td><td>Contains record of failed login attempt</td></tr><tr><td>/var/log/lastlog</td><td>Contains the recent login information for users</td></tr><tr><td>/var/log/secure</td><td>Contains information related to security such as logs for authentication failure, sudo logins, and authorization privileges</td></tr><tr><td>/var/log/boot.log</td><td>Contains information related to system boot and message logged via system startup processes</td></tr><tr><td>/var/log/cron</td><td>Contains information related to cron job launch, success and failure error logs</td></tr><tr><td>/var/log/dmesg</td><td>Contains information related to kernel ring buffer messages, hardware devices, drivers, etc.</td></tr><tr><td>/var/log/firewalld</td><td>Contains logs related to firewall activities</td></tr><tr><td>/var/log/maillog</td><td>Contains information related to a mail server running on the system</td></tr><tr><td>/var/log/messages</td><td>Contains generic system activity messages</td></tr><tr><td>/var/log/spooler</td><td>Contains messages from usenet</td></tr><tr><td>/var/log/syslog</td><td>Contains generic system activity messages</td></tr><tr><td>/var/log/yum.log</td><td>Contains the package logs related to installation\remove\update activities done via yum utility</td></tr></tbody></table></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="844" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-3.-Remote-bash-script-command-used-for-initial-access.png" alt="Figure 3 displays the remote bash script command used for initial access" class="wp-image-114501" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-3.-Remote-bash-script-command-used-for-initial-access.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-3.-Remote-bash-script-command-used-for-initial-access-284x300.png 284w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-3.-Remote-bash-script-command-used-for-initial-access-768x810.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 3. Remote bash script command used for initial access</figcaption></figure>



<p>Whichever initial access method is used, the result is the same: the running of a malicious ELF file, which is the XorDdos malware. In the next section, we do a deep dive into the XorDdos payload.</p>



<h2 id="XorDdos_payload">XorDdos payload analysis</h2>



<p>The XorDdos payload we analyzed for this research is a 32-bit ELF file that was not stripped, meaning it contained debug symbols that detailed the malware’s dedicated code for each of its activities. The inclusion of debug symbols makes it easier to debug and reverse engineer non-stripped binaries, as compared to stripped binaries that discard these symbols. In this case, the non-stripped binary includes the following source-code file names associated with the symbol table entries as part of the <em>.strtab</em> section in the ELF file:</p>



<ul><li>crtstuff.c</li><li>autorun.c</li><li>crc32.c</li><li>encrypt.c</li><li>execpacket.c</li><li>buildnet.c</li><li>hide.c</li><li>http.c</li><li>kill.c</li><li>main.c</li><li>proc.c</li><li>socket.c</li><li>tcp.c</li><li>thread.c</li><li>findip.c</li><li>dns.c</li></ul>



<p>The above list of source-code file names indicate that the binary is programmed in C/C++ and that its code is modular.</p>



<h3 id="Detection_evasion"><em>Detection evasion capabilities</em></h3>



<p>XorDdos contains modules with specific functionalities to evade detection, as detailed below. <strong></strong></p>



<p><strong>Daemon processes</strong></p>



<p>A daemon process is a process that runs in the background rather than under the control of users and detaches itself from the controlling terminal, terminating only when the system is shut down. Similar to some Linux malware families, the XorDdos trojan uses daemon processes, as detailed below, to break process tree-based analysis:</p>



<ol type="1"><li>The malware calls the subroutine <em>daemon(__nochdir, __noclose) </em>to set itself as a background daemon process<em>,</em> which internally calls<em> fork()</em> and <em>setsid()</em>. The <em>fork()</em> API creates a new child process with the same process group-id as the calling process.</li><li>After the successful call to the <em>fork()</em> API, the parent stops itself by returning “<em>EXIT_SUCCESS</em> (0)”. The purpose is to ensure that the child process is not a group process leader, which is a prerequisite for the <em>setsid()</em> API call to be successful. It then calls <em>setsid()</em> to detach itself from the controlling terminal.</li><li>The daemon subroutine also has a provision to change the directory to the root directory (&#8220;<strong>/</strong>&#8220;) if the first parameter <em>__nochdir</em> is called with a value equal to “0”. One reason for the daemon process to change the directory to the root partition (&#8220;<strong>/</strong>&#8220;)is because running the process from the mounted file system prevents unmounting unless the process is stopped. &nbsp;</li><li>It passes the second parameter <em>__noclose </em>as “0” to redirect standard input, standard output, and standard error to <em>/dev/null</em>. It does this by calling <em>dup2</em> on the file descriptor for <em>/dev/null</em>.</li><li>The malware calls multiple signal APIs to ignore a possible signal from the controlling terminal and detach the current process from the standard stream and HangUp signals (SIGHUP) when the terminal session is disconnected. Performing this evasive signal suppression helps stop the effects of standard libraries trying to write to standard output or standard error, or trying to read from standard input, which could stop the malware’s child process. The API <em>signal()</em> sets the disposition of the signal signum to the handler, which is either <em>SIG_IGN</em>, <em>SIG_DFL</em>, or the address of a programmer-defined signal handler. In this case, the second parameter is set to “SIG_IGN=1”, which ignores the signal corresponding to signum.</li></ol>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="242" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-4.-Ignore-signals-associated-with-the-terminal-related-operations.png" alt="Figure 4 displays how signals associated with terminal-related operations are ignored." class="wp-image-114504" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-4.-Ignore-signals-associated-with-the-terminal-related-operations.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-4.-Ignore-signals-associated-with-the-terminal-related-operations-300x91.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-4.-Ignore-signals-associated-with-the-terminal-related-operations-768x232.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 4. Ignore signals associated with the terminal-related operations</figcaption></figure>



<p><strong>XOR-based encryption</strong></p>



<p>As its name suggests, XorDdos uses XOR-based encryption to obfuscate data. It calls the <em>dec_conf</em> function to decode encoded strings using the XOR key “BB2FA36AAA9541F0”. The table below shows the decoded values of the obfuscated data used across the malware’s various modules to conduct its activities.</p>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Encrypted strings</strong></td><td><strong>Decoded value</strong></td></tr><tr><td>m7A4nQ_/nA</td><td>/usr/bin/</td></tr><tr><td>m [(n3</td><td>/bin/</td></tr><tr><td>m6_6n3</td><td>/tmp/</td></tr><tr><td>m4S4nAC/n&amp;ZV\x1aA/TB</td><td>/var/run/gcc.pid</td></tr><tr><td>m.[$n__#4%\C\x1aB]0</td><td>/lib/libudev.so</td></tr><tr><td>m.[$n3</td><td>/lib/</td></tr><tr><td>m4S4nAC/nA</td><td>/var/run/</td></tr><tr><td>!#Ff3VE.-7\x17V[_</td><td>cat resolv.conf</td></tr><tr><td>&lt;Encrypted_Remote_URL&gt;</td><td>hxxp://aa.hostasa[.]org/config.rar</td></tr></tbody></table></figure>



<p><strong>Process name spoofing</strong></p>



<p>When a process is launched, arguments are provided to its main function as null-terminated strings, where the first argument is always the process image path. To spoof its process name, XorDdos zeroes out all argument buffers while running and overrides its first argument buffer containing the image path with a fake command line, such as <em>cat resolv.conf</em>.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="577" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/5-test_ccexpress.png" alt="Figure 5 displays how process name spoofing is achieved by modifying memory associated with argument vectors." class="wp-image-114519" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/5-test_ccexpress.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/5-test_ccexpress-300x216.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/5-test_ccexpress-768x554.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 5. Process name spoofing achieved by modifying memory associated with argument vectors.</figcaption></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="129" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-6.-Output-of-the-‘ps-aef-contains-an-entry-for-cat-resolv.conf_.png" alt="Figure 6 displays the output of the 'ps -aef' containing an entry for &quot;cat resolv.conf&quot;. " class="wp-image-114387" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-6.-Output-of-the-‘ps-aef-contains-an-entry-for-cat-resolv.conf_.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-6.-Output-of-the-‘ps-aef-contains-an-entry-for-cat-resolv.conf_-300x48.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-6.-Output-of-the-‘ps-aef-contains-an-entry-for-cat-resolv.conf_-768x124.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 6. Output of the ‘ps -aef’ contains an entry for “cat resolv.conf”</figcaption></figure>



<p><strong>Kernel rootkit</strong></p>



<p>Some XorDdos samples install a kernel rootkit. A rootkit is a kernel module that hides the presence of malicious code by modifying operating systems data structures. The XorDdos kernel rootkit generally has following capabilities:</p>



<ul><li>Provide root access</li><li>Hide the kernel module</li><li>Hide the malware’s processes</li><li>Hide the malware’s network connections and ports</li></ul>



<p>Based on the debug symbols found in the rootkit, it’s likely that XorDdos’ rootkit code was inspired by an open-source project called&nbsp;<a href="https://github.com/jermeyyy/rooty">rooty</a>. The following table describes the symbols found in the rootkit and their corresponding functionalities:</p>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Function&nbsp;name&nbsp;&nbsp;</strong></td><td><strong>Description&nbsp;&nbsp;</strong></td></tr><tr><td>give_root&nbsp;&nbsp;</td><td>Provides&nbsp;a&nbsp;root&nbsp;privilege&nbsp;by&nbsp;setting&nbsp;a&nbsp;new&nbsp;set&nbsp;of&nbsp;credentials&nbsp;and assigning its UID, GID to &#8220;0&#8221;</td></tr><tr><td>module_hide</td><td>Hides the rootkit kernel module</td></tr><tr><td>module_show</td><td>Unhides the rootkit kernel module</td></tr><tr><td>get_udp_seq_show</td><td>Hides the UDP4 connection by hooking <em>/proc/net/udp</em>Hides the UDP6 connection by hooking&nbsp;<em>/proc/net/udp6</em></td></tr><tr><td>get_tcp_seq_show</td><td>Hides the TCP4 connection by hooking <em>/proc/net/tcp</em>Hides the TCP6 connection by hooking&nbsp;<em>/proc/net/tcp6</em></td></tr><tr><td>hide_udp4_port</td><td>Adds a provided port to a list of hidden UDP4 ports</td></tr><tr><td>unhide_udp4_port</td><td>Deletes a provided port from a list of hidden UDP4 ports</td></tr><tr><td>hide_udp6_port</td><td>Adds a provided port to a list of hidden UDP6 ports</td></tr><tr><td>unhide_udp6_port</td><td>Deletes a provided port from a list of hidden UDP6 ports</td></tr><tr><td>hide_tcp4_port</td><td>Adds a provided port to a list of hidden TCP4 ports</td></tr><tr><td>unhide_tcp4_port</td><td>Deletes a provided port from a list of hidden TCP4 ports</td></tr><tr><td>hide_tcp6_port</td><td>Adds a provided port to a list of hidden TCP6 ports</td></tr><tr><td>unhide_tcp6_port</td><td>Deletes a provided port from a list of hidden TCP6 ports</td></tr><tr><td>unhide_allz</td><td>Iterates list of all hidden ports and deletes all entries</td></tr></tbody></table></figure>



<p><strong>Process and port hiding</strong></p>



<p>The malware tries to hide its processes and ports using its kernel rootkit component. Hiding a process assists the malware in evading rule-based detections.</p>



<p>The <em>/proc</em> filesystem contains information related to all running processes. A user-mode process can get any process specific information by reading the <em>/proc</em> directory that contains the subdirectory for each running process on the system, such as:</p>



<ul><li><em>/proc/7728</em> &#8211; Contains process-id (PID) 7728-related information</li><li><em>/proc/698</em> &#8211; Contains PID 698-related information</li></ul>



<p>Running the <em>strace -e open ps</em> command checks the traces of the open call on <em>/proc/$pid</em> to fetch information on running processes as part of the <em>ps</em> command.</p>



<pre class="wp-block-preformatted">&gt; strace -e open ps
open(“/proc/3922/status”, O_RDONLY)     = 6
open(“/proc/4324/stat”, O_RDONLY)       = 6
open(“/proc/4324/status”, O_RDONLY)     = 6
open(“/proc/5559/stat”, O_RDONLY)       = 6
open(“/proc/5559/status”, O_RDONLY)     = 6
open(“/proc/5960/stat”, O_RDONLY)       = 6
open(“/proc/5960/status”, O_RDONLY)     = 6
open(“/proc/5978/stat”, O_RDONLY)       = 6
open(“/proc/5978/status”, O_RDONLY)     = 6
</pre>



<p>If the malware hides the <em>$pid</em> specific directory, it can conceal fetching the corresponding process from a user mode.</p>



<p>In this case, the malware has a provision for communicating with its rootkit component <em>/proc/rs_dev</em> by sending input and output control (IOCTL) calls with additional information to take appropriate action. IOCTL is one way to communicate between the user-mode service and kernel device driver. The malware uses the number “0x9748712” to uniquely identify its IOCTL calls from other IOCTL calls in the system.</p>



<p>Along with this number, it also passes an integer array. The first entry in the array corresponds to the command, and the second entry stores the value to act on, such as <em>$pid</em>.</p>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Command</strong></td><td><strong>Usage</strong></td></tr><tr><td>0</td><td>Check if its rootkit driver is present</td></tr><tr><td>1, 2</td><td>Hide or unhide &lt;PID&gt;</td></tr><tr><td>3</td><td>Hide &lt;port&gt;</td></tr></tbody></table></figure>



<h3 id="Persistence_mechanisms"><em>Persistence mechanisms</em></h3>



<p>XorDdos uses various persistence mechanisms to support different Linux distributions when automatically launching upon system startup, as detailed below.</p>



<p><strong>Init script</strong></p>



<p>The malware drops an <em>init</em> script at the location <em>/etc/init.d</em>. <em>Init</em> scripts are startup scripts used to run any program when the system starts up. They follow the Linux Standard Base (LSB)-style header section to include default <em>runlevels</em>, descriptions, and dependencies.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="490" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-7.-Content-of-the-init-script-dropped-at-the-location-etc-init.d-HFLgGwYfSC.elf_.png" alt="Figure 7 displays the content of the init script dropped at the location /etc/init.d/HFLgGwYfSC.elf. " class="wp-image-114390" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-7.-Content-of-the-init-script-dropped-at-the-location-etc-init.d-HFLgGwYfSC.elf_.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-7.-Content-of-the-init-script-dropped-at-the-location-etc-init.d-HFLgGwYfSC.elf_-300x184.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-7.-Content-of-the-init-script-dropped-at-the-location-etc-init.d-HFLgGwYfSC.elf_-768x470.png 768w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-7.-Content-of-the-init-script-dropped-at-the-location-etc-init.d-HFLgGwYfSC.elf_-392x240.png 392w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 7. Content of the init script dropped at the location <em>/etc/init.d/HFLgGwYfSC.elf</em></figcaption></figure>



<p><strong>Cron script</strong></p>



<p>The malware creates a <em>cron</em> script at the location <em>/</em><em>etc/cron.hourly/gcc.sh</em>.The <em>cron</em> script passes parameters with the following content:</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="114" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-8.-Content-of-the-gcc.sh-script.png" alt="Figure 8 displays the contents of the gcc.sh script. " class="wp-image-114393" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-8.-Content-of-the-gcc.sh-script.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-8.-Content-of-the-gcc.sh-script-300x43.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-8.-Content-of-the-gcc.sh-script-768x109.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 8. Content of the <em>gcc.sh</em> script</figcaption></figure>



<p>It then creates a <em>/etc/crontab</em> file to run <em>/etc/cron.hourly/gcc.sh </em>every three minutes:</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="69" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-9.-System-command-to-delete-the-etc-cron.hourly-gcc.sh-entry-from-the-etc-crontab-file-and-add-a-new-entry.png" alt="Figure 9 displays the system command to delete the /etc/cron.hourly/gcc.sh entry from /etc/crontab file and add a new entry. It reads &quot;system(&quot;sed -i \'/\\/etc\\/cron.hourly\\/gcc.sh/d\' /etc/crontab &amp;&amp; echo \'*/3 * * * * root /etc/cron.hourly/gcc.sh\' &gt;&gt; /etc/crontab&quot;);" class="wp-image-114396" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-9.-System-command-to-delete-the-etc-cron.hourly-gcc.sh-entry-from-the-etc-crontab-file-and-add-a-new-entry.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-9.-System-command-to-delete-the-etc-cron.hourly-gcc.sh-entry-from-the-etc-crontab-file-and-add-a-new-entry-300x26.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-9.-System-command-to-delete-the-etc-cron.hourly-gcc.sh-entry-from-the-etc-crontab-file-and-add-a-new-entry-768x66.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 9. System command to delete the <em>/etc/cron.hourly/gcc.sh</em> entry from the <em>/etc/crontab</em> file and add a new entry</figcaption></figure>



<figure class="wp-block-image size-full is-resized"><img loading="lazy" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-10.-The-content-of-the-file-etc-crontab.png" alt="Figure 10 reads :*/3 * * * * root /etc/cron.hourly/gcc.sh&quot;" class="wp-image-114399" width="800" height="43" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-10.-The-content-of-the-file-etc-crontab.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-10.-The-content-of-the-file-etc-crontab-300x16.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-10.-The-content-of-the-file-etc-crontab-768x41.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 10. The content of the file <em>/etc/crontab</em></figcaption></figure>



<p><strong>System V runlevel</strong></p>



<p>A <em>runlevel</em> is a mode of <em>init</em> and the system that specifies what system services are operating for Unix System V-Style operating systems. <em>Runlevels</em> contain a value, typically numbered zero through six, which each designate a different system configuration and allows access to a different combination of processes. Some system administrators set a system’s default <em>runlevel</em> according to their needs or use <em>runlevels</em> to identify which subsystems are working, such as whether the network is operational. The <em>/etc/rc&lt;run_level&gt; </em>directory contains symbolic links (<em>symlinks</em>), which are soft links that point to the original file. These <em>symlinks</em> point to the scripts that should run at the specified <em>runlevel</em>.</p>



<p>The malware creates a <em>symlink</em> for the <em>init</em> script dropped at the location <em>/etc/init.d/&lt;base_file_name&gt; </em>with the directories associated with <em>runlevels</em> 1 through 5 at /<em>etc/rc&lt;run_level&gt;.d/S90&lt;base_file_name&gt;</em> and <em>/etc/rc.d/rc&lt;run_level&gt;.d/S90&lt;base_file_name&gt;.</em></p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="326" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-11.-Installation-of-rc.d-directorys-symlink-scripts-with-etc-init.d-base_file_name.png" alt="Figure 11 displays the installation of rc.d directory's symlink scripts with /etc/init.d/<base_file_name&gt;." class="wp-image-114402" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-11.-Installation-of-rc.d-directorys-symlink-scripts-with-etc-init.d-base_file_name.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-11.-Installation-of-rc.d-directorys-symlink-scripts-with-etc-init.d-base_file_name-300x122.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-11.-Installation-of-rc.d-directorys-symlink-scripts-with-etc-init.d-base_file_name-768x313.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 11. Installation of <em>rc.d</em> directory’s symlink scripts with <em>/etc/init.d/&lt;base_file_name&gt;</em></figcaption></figure>



<p><strong>Auto-start services</strong></p>



<p>The malware runs a command to install startup services that automatically run XorDdos at boot. The malware’s <em>LinuxExec_Argv2</em> subroutine runs the system API with the provided arguments.</p>



<p>The commands <em>chkconfig –add &lt;service_name&gt;</em> and <em>update-rc.d</em> then add a service that starts the daemon process at boot.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="102" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-12.-chkconfig-and-update-rc.d-commands-install-the-startup-service.png" alt="Figure 12 displays chkconfig and update-rc.d commands installing the startup service" class="wp-image-114405" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-12.-chkconfig-and-update-rc.d-commands-install-the-startup-service.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-12.-chkconfig-and-update-rc.d-commands-install-the-startup-service-300x38.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-12.-chkconfig-and-update-rc.d-commands-install-the-startup-service-768x98.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 12. <em>chkconfig</em> and <em>update-rc.d</em> commands install the startup service</figcaption></figure>



<h3 id="Argument-based_code-flow"><em>Argument-based code-flow</em></h3>



<p>XorDdos has specific code paths corresponding to the number of arguments provided to the program. This flexibility makes its operation more robust and stealthy. The malware first runs without any argument and then later runs another instance with different arguments, such as PIDs and fake commands, to perform capabilities like clean-up, spoofing, and persistence.</p>



<p>Before handling the argument-based control, it calls the <em>readlink</em> API with the first parameter as <em>/proc/self/exe</em> to fetch its full process path. The full path is used later to create auto-start service entries and read the file’s content.</p>



<p>In this section, we will cover the main tasks carried out as part of the different arguments provided:</p>



<p><strong>1: Standard code path without any provided arguments</strong></p>



<p>This code path depicts the malware’s standard workflow, which is also the typical workflow where XorDdos runs as part of the entries created in system start-up locations.</p>



<p>The malware first checks whether it’s running from the locations <em>/usr/bin/</em>, <em>/bin/</em>, or <em>/tmp/</em>. If it’s not running from these locations, then it creates and copies itself using a 10-character string name on those locations, as well as <em>/lib/</em> and <em>/var/run/</em>.</p>



<p>It also creates a copy of itself at the location <em>/lib/libudev.so</em>. To evade hash-based malicious file lookup, it performs the following steps, which modify the file hash to make every file unique:</p>



<ul><li>Opens the file for writing only</li><li>Calls <em>lseek (fd, 0, SEEK_END)</em> to point at the last position in the file</li><li>Creates a random 10-character string</li><li>Writes the string at the end of the file with an additional null byte</li></ul>



<p>After modifying the file, it runs the binary, performs a double<em> fork()</em>, and deletes its file from the disk.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="163" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-13.-The-end-of-the-malware-file-contains-two-random-strings-wieegnexuk-and-yybrdajydg-indicating-that-the-original-malware-binary-was-modified-twice.png" alt="Figure 13 displays the end of the malware file containing two random strings, ‘wieegnexuk’ and ‘yybrdajydg,’ indicating that the original malware binary was modified twice" class="wp-image-114462" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-13.-The-end-of-the-malware-file-contains-two-random-strings-wieegnexuk-and-yybrdajydg-indicating-that-the-original-malware-binary-was-modified-twice.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-13.-The-end-of-the-malware-file-contains-two-random-strings-wieegnexuk-and-yybrdajydg-indicating-that-the-original-malware-binary-was-modified-twice-300x61.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-13.-The-end-of-the-malware-file-contains-two-random-strings-wieegnexuk-and-yybrdajydg-indicating-that-the-original-malware-binary-was-modified-twice-768x156.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 13. The end of the malware file contains two random strings, ‘wieegnexuk’ and ‘yybrdajydg,’ indicating that the original malware binary was modified twice</figcaption></figure>



<p><strong>2: Clean-up code path</strong></p>



<p>In this code path, the malware runs with another argument provided as the PID, for example:</p>



<ul><li><em>/usr/bin/jwvwvxoupv 4849</em></li></ul>



<p>Using the above example, the malware shares the 64-byte size memory segment with the IPC key “0xDA718716” to check for another malware process provided as an argument. If not found, it runs its own binary without any argument and calls the <em>fork()</em> API twice to make sure the grandchild process has no parent. This results in the grandchild process being adopted by the <em>init</em> process, which disconnects it from the process tree and acts as an anti-forensic technique.</p>



<p>Additionally, it performs the following tasks on a provided <em>$pid</em>:</p>



<ul><li>Fetches the process file name corresponding to the provided <em>$pid</em></li><li>Deletes the file for the provided <em>$pid</em></li><li>Deletes the installed <em>init</em> services:<ul><li>Deletes <em>/etc/init.d/&lt;file_name&gt;</em></li></ul><ul><li>For <em>runlevels</em> 1-5, unlinks and deletes <em>/etc/rc&lt;runlevel&gt;.d/S90&lt;file_name&gt;</em></li></ul><ul><li>Performs the command <em>chkconfig –del &lt;file_name&gt;</em></li></ul><ul><li>Performs the command <em>update-rc.d &lt;file_name&gt; remove</em></li></ul></li><li>Ends the process that was provided as an argument.</li></ul>



<p><strong>3: Process name spoofing code path</strong></p>



<p>The malware spawns new dropped binaries with two additional arguments: a fake command line and its PIDs, for example:</p>



<ul><li><em>/usr/bin/jwvwvxoupv “cat resolv.conf” 4849</em></li><li><em>/usr/bin/jwvwvxoupv gnome-terminal 4849</em></li><li><em>/usr/bin/jwvwvxoupv top 4849</em></li><li><em>/usr/bin/jwvwvxoupv pwd 4849</em></li><li><em>/usr/bin/kagbjahdic id 4849</em></li></ul>



<p>The fake commands can include:</p>



<ul><li><em>cat resolv.conf</em></li><li><em>netstat -an</em></li><li><em>bash</em></li><li><em>whoami</em></li><li><em>id</em></li><li><em>cd /etc</em></li><li><em>ifconfig eth0</em></li><li><em>ifconfig</em></li><li><em>echo “find”</em></li><li><em>uptime</em></li><li><em>sh</em></li><li><em>top</em></li><li><em>gnome-terminal</em></li><li><em>su</em></li><li><em>netstat -antop</em></li><li><em>grep “A”</em></li><li><em>who</em></li><li><em>ls -la</em></li><li><em>pwd</em></li><li><em>route -n</em></li><li><em>ps -ef</em></li><li><em>ls</em></li><li><em>sleep 1</em><em></em></li></ul>



<p>In this code path, the malware uses process name spoofing to hide from the process tree by modifying its fake command line at runtime. It then hides its process by calling <em>HidePidPort</em> with command “1” and reads the content of the file on disk related to the current process.</p>



<p>It then enters a five-second loop to perform the following checks:</p>



<ul><li>Fetches the file name specific to the <em>$pid</em> provided as part of the third argument by calling the <em>readlink</em> API on <em>/proc/$pid/exe</em>.</li><li>If the <em>readlink</em> call fails, that likely indicates that the file on disk doesn’t exist. In this case, it:<ul><li>Intends to delete all service-related entries for the <em>$pid</em> but fails. This appears to be due to a code flaw that allows a zeroed-out buffer to be passed as a service name when the buffer is supposed to be filled from a successful <em>readlink</em> API call.</li></ul><ul><li>Creates directories similar to the standard code path scenario.</li></ul><ul><li>Calls the <em>stat</em> API for the file <em>/lib/libudev.so</em>. If the <em>stat</em> API returns a non-zero value, then it attempts to copy the content of the current process’s image-file fetched earlier to the following locations with a random name:<ul><li><em>/usr/bin/</em></li></ul><ul><li><em>/bin/</em></li></ul><ul><li><em>/tmp/</em> &nbsp;&nbsp;</li></ul></li></ul><ul><li>Copies the <em>/lib/libudev.so</em> file to the same three directories listed above if the <em>stat</em> API call is successful on <em>/lib/libudev.so</em>.</li></ul><ul><li>Changes the hash of the written or copied file and then runs it without passing any parameters.</li></ul></li><li>If the <em>readlink</em> call is successful and returns the count of bytes copied, sleeps for one second and then loops for the remaining time out of five seconds.</li><li>Unhides the current process and the <em>$pid</em> that was provided as part of the third argument.</li><li>Deletes the on-disk file for the current process.</li></ul>



<p><strong>4: Known locations code path without any provided arguments</strong></p>



<p>This code path is similar to the standard code path, with the main difference being that the malware runs from one of the following locations:</p>



<ul><li><em>/usr/bin/</em></li><li><em>/bin/</em></li><li><em>/tmp/</em></li></ul>



<p>Once it runs from one of these locations, the malware calls the following functions to perform various tasks:</p>



<ol type="1"><li><em>InstallSYS</em><strong> </strong>– The name suggests that this function is a wrapper that should deploy a rootkit driver, but it only zeroes-out two local arrays.</li></ol>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="194" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-14.-Dummy-InstallSYS-routine.png" alt="Figure 14 displays a dummy InstallSYS routine that only zeros-out two local arrays. " class="wp-image-114411" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-14.-Dummy-InstallSYS-routine.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-14.-Dummy-InstallSYS-routine-300x73.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-14.-Dummy-InstallSYS-routine-768x186.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 14. Dummy <em>InstallSYS </em>routine</figcaption></figure>



<ol start="2"><li><em>AddService</em> – Creates the persistent auto-start entries previously mentioned so that the malware runs when the system starts.</li><li><em>HidePidPort</em> – Hides the malware’s ports and processes.</li><li><em>CheckLKM</em> – Checks whether the rootkit device is active or not. It uses a similar IOCTL call with the number “0x9748712” and command “0” to find if the rootkit is active. If the rootkit is active, it uses the owner value “0xAD1473B8” and group value “0xAD1473B8” to change the ownership of dropped files with the function <em>lchown(&lt;filename&gt;, 0xAD1473B8, 0xAD1473B8)</em>.</li><li><em>decrypt_remotestr</em><strong> </strong>– Decodes remote URLs using the same XOR key, “BB2FA36AAA9541F0”, to decode <em>config.rar</em> and the other directories. After decoding the URLs, it adds them into a remote list, which is later used to communicate and fetch commands from the command and control (C2) server:<ul><li>www[.]enoan2107[.]com:3306</li></ul><ul><li>www[.]gzcfr5axf6[.]com:3306</li></ul></li></ol>



<h3 id="Malicious_activity"><em>Malicious activity threads</em></h3>



<p>After creating persistent entries, deleting evidence of its activities, and decoding <em>config.rar</em>, the malware initializes a cyclic&nbsp;redundancy check (CRC) table followed by an unnamed semaphore using the <em>sem_init</em> API. This semaphore is initialized with a<em>pshared</em> value set to “0”<em>, </em>making the resultant semaphore shared between all the threads. The semaphore is used to maintain concurrency between threads accessing a shared object, such as <em>kill_cfg</em> data.</p>



<p>The malware then initializes three threads to perform malicious activities, such as stopping a process, creating a TCP connection, and retrieving <em>kill_cfg</em> data.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="221" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-15.-Semaphore-and-malicious-thread-initialization.png" alt="Figure 15 displays the semaphore and malicious thread initialization" class="wp-image-114414" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-15.-Semaphore-and-malicious-thread-initialization.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-15.-Semaphore-and-malicious-thread-initialization-300x83.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-15.-Semaphore-and-malicious-thread-initialization-768x212.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 15. Semaphore and malicious thread initialization</figcaption></figure>



<p><strong>&nbsp;<em>kill_process</em></strong></p>



<p>The <em>kill_process</em> thread performs the following tasks:</p>



<ul><li>Decodes encrypted strings</li><li>Fetches file stats for <em>/var/run/gcc.pid</em> or, if none exist, then creates the file</li><li>Fetches file stats for <em>/lib/libudev.so</em> or, if none exist, then creates the directory <em>/lib</em> and creates a copy of itself at the location <em>/lib/libudev.so</em></li><li>Fetches the on disk file information associated with the current process; if it fails, then exits the loop and stops the current process</li><li>Reads the content from <em>kill_cfg</em> and performs the corresponding actions, like stopping the process or deleting files, based on the matching specified keys in the configuration file, such as:<ul><li><em>md5=</em></li></ul><ul><li><em>filename=</em></li></ul><ul><li><em>rmfile=</em></li></ul><ul><li><em>denyip=</em></li></ul></li></ul>



<p><strong><em>tcp_thread</em></strong></p>



<p>The <em>tcp_thread</em> triggers the connection with the C2 server decoded earlier using <em>decrypt_remotestr()</em>. It performs the following tasks:</p>



<ul><li>Reads the content of the file <em>/var/run/gcc.pid </em>to get a unique 32-byte magic string that identifies the device while connecting with the C2 server; if the file doesn’t exist, then it creates the file and updates it with a random 32-byte string.</li><li>Calculates the CRC header, including details of the device such as the magic string, OS release version, malware version, rootkit presence, memory stats, CPU information, and LAN speed.</li><li>Encrypts the data and sends it to the C2 server.</li><li>Waits to receive any of the following commands from the C2 server and then acts on the command using the <em>exec_packet</em> subroutine.</li></ul>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Command</strong></td><td><strong>Job</strong></td></tr><tr><td>2</td><td>Stop</td></tr><tr><td>3</td><td>Create a thread pool for launching DDoS attacks</td></tr><tr><td>6</td><td>Download file</td></tr><tr><td>7</td><td>Update file</td></tr><tr><td>8</td><td>Send system information to the C2 server</td></tr><tr><td>9</td><td>Get configuration file to stop processes</td></tr></tbody></table></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="346" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-16.-Collection-of-system-information.png" alt="Figure 16 displays code for the collection of system information." class="wp-image-114417" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-16.-Collection-of-system-information.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-16.-Collection-of-system-information-300x130.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-16.-Collection-of-system-information-768x332.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 16. Collection of system information</figcaption></figure>



<p><strong><em>daemon_get_killed_process</em></strong></p>



<p>The <em>daemon_get_killed_process</em>thread downloads the <em>kill_cfg</em> data from the remote URL decoded earlier (hxxp://aa[.]hostasa[.]org/config[.]rar) and decrypts it using the same XOR key previously mentioned. It then sleeps for 30 minutes.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="343" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-17.-daemon_get_killed_process-thread-function-fetches-and-decodes-the-kill_cfg-data-from-remote-URL.png" alt="Figure 17 displays code for the daemon_get_killed_process thread function fetching and decoding the kill_cfg data from remote URL." class="wp-image-114420" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-17.-daemon_get_killed_process-thread-function-fetches-and-decodes-the-kill_cfg-data-from-remote-URL.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-17.-daemon_get_killed_process-thread-function-fetches-and-decodes-the-kill_cfg-data-from-remote-URL-300x129.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-17.-daemon_get_killed_process-thread-function-fetches-and-decodes-the-kill_cfg-data-from-remote-URL-768x329.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 17. <em>daemon_get_killed_process</em> thread function fetches and decodes the <em>kill_cfg</em> data from the remote URL</figcaption></figure>



<h3 id="DDoS_attack"><em>DDoS attack thread pool</em></h3>



<p>The malware calls <em>sysconf(_SC_NPROCESSORS_CONF) </em>to fetch the number of processors in the device. It then creates threads with twice the number of processors found on the device.</p>



<p>Invoking each thread internally calls the thread routine <em>threadwork</em>. Using the global variable “g_stop” and commands received from the C2 server, <em>threadwork</em> then sends crafted packets 65,535 times to perform a DDoS attack.</p>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Command</strong></td><td><strong>Function</strong></td><td><strong>Job</strong></td></tr><tr><td>0x4</td><td>fix_syn &nbsp;</td><td>SYN flood attack</td></tr><tr><td>0x5</td><td>fix_dns &nbsp;</td><td>DNS attack</td></tr><tr><td>0xA</td><td>fix_ack &nbsp;</td><td>ACK flood attack</td></tr></tbody></table></figure>



<h2 id="Defending_against">Defending against Linux platform threats</h2>



<p>XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.</p>



<p>Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.</p>



<p>XorDdos and other threats targeting Linux devices emphasize how crucial it is to have security solutions with comprehensive capabilities and complete visibility spanning numerous distributions of Linux operating systems. <a href="https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1">Microsoft Defender for Endpoint</a> offers such visibility and protection to catch these emerging threats with its <a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide">next-generation antimalware</a> and <a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response?view=o365-worldwide">endpoint detection and response (EDR)</a> capabilities. Leveraging threat intelligence from integrated threat data, including client and cloud heuristics, machine learning models, memory scanning, and behavioral monitoring, Microsoft Defender for Endpoint can detect and remediate XorDdos and its multi-stage, modular attacks. This includes detecting and protecting against its use of a malicious shell script for initial access, its drop-and-execution of binaries from a world-writable location, and any potential follow-on activities on endpoints.</p>



<p>Defenders can apply the following mitigations to reduce the impact of this threat:</p>



<ul><li>Encourage the use of&nbsp;<a href="https://www.microsoft.com/edge">Microsoft Edge</a>—available on Linux and various platforms—or other web browsers that support&nbsp;<a href="https://docs.microsoft.com/deployedge/microsoft-edge-security-smartscreen">Microsoft Defender SmartScreen</a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.</li><li>Use&nbsp;<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide">device discovery</a>&nbsp;to find unmanaged Linux devices on your network and onboard them to Microsoft Defender for Endpoint.&nbsp;</li><li>Turn on&nbsp;<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide" target="_blank" rel="noreferrer noopener">cloud-delivered protection</a>&nbsp;in Microsoft Defender Antivirus or the equivalent for your antivirus product to use cloud-based machine learning protections that can block a huge majority of new and unknown variants.&nbsp;</li><li>Run&nbsp;<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide" target="_blank" rel="noreferrer noopener">EDR in block mode</a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.</li><li>Enable&nbsp;<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide" target="_blank" rel="noreferrer noopener">network protection</a>&nbsp;to prevent applications or users from accessing malicious domains and other malicious content on the internet.&nbsp;</li><li>Enable&nbsp;<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide">investigation and remediation</a>&nbsp;in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.&nbsp;</li></ul>



<p>As threats across all platforms continue to grow in number and sophistication, security solutions must be capable of providing advanced protection on a wide range of devices, regardless of the operating system in use. Organizations will continue to face threats from a variety of entry points across devices, so Microsoft continues to heavily invest in protecting all the major platforms and providing extensive capabilities that organizations needed to protect their networks and systems. <a></a><a></a><a></a><a></a></p>



<h3 id="Detection_details">Detection details</h3>



<p>Microsoft Defender for Endpoint detects and blocks XorDdos components and behavior as the following malware:</p>



<ul><li>DoS:Linux/Xorddos.A</li><li>DoS:Linux/Xorddos!rfn</li><li>Trojan:Linux/Xorddos</li><li>Trojan:Linux/Xorddos.AA</li><li>Trojan:Linux/Xorddos!rfn</li><li>Behavior:Linux/Xorddos.A</li></ul>



<p>When XorDdos is detected on a device, Microsoft 365 Defender raises an alert, which shows the complete attack chain, including the process tree, file information, user information, and prevention details.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="774" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-18.-Microsoft-365-Defender-alert-for-detection-of-XorDdos-malware_ccexpress.png" alt="" class="wp-image-114483" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-18.-Microsoft-365-Defender-alert-for-detection-of-XorDdos-malware_ccexpress.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-18.-Microsoft-365-Defender-alert-for-detection-of-XorDdos-malware_ccexpress-300x290.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-18.-Microsoft-365-Defender-alert-for-detection-of-XorDdos-malware_ccexpress-768x743.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 18. Microsoft 365 Defender alert for detection of XorDdos malware</figcaption></figure>



<p>The timeline view displays all of the detection and prevention events associated with XorDdos, providing details such as the MITRE ATT&amp;CK techniques and tactics, remediation status, and event entities graph.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="108" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-19.-Microsoft-365-Defender-timeline-displaying-that-HFLgGwYfSC.elf-was-run-from-a-world-writable-directory-and-the-remediation-of-dropped-binaries_ccexpress.png" alt="" class="wp-image-114486" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-19.-Microsoft-365-Defender-timeline-displaying-that-HFLgGwYfSC.elf-was-run-from-a-world-writable-directory-and-the-remediation-of-dropped-binaries_ccexpress.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-19.-Microsoft-365-Defender-timeline-displaying-that-HFLgGwYfSC.elf-was-run-from-a-world-writable-directory-and-the-remediation-of-dropped-binaries_ccexpress-300x41.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-19.-Microsoft-365-Defender-timeline-displaying-that-HFLgGwYfSC.elf-was-run-from-a-world-writable-directory-and-the-remediation-of-dropped-binaries_ccexpress-768x104.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 19. Microsoft 365 Defender timeline displaying that <em>HFLgGwYfSC.elf</em> was run from a world-writable directory and the remediation of dropped binaries</figcaption></figure>



<p>Events with the following titles indicate threat activity related to XorDdos:</p>



<ul><li>The content of libudev.so was collected into libudev.so.6</li><li>bash process performed System Information Discovery by invoking ifconfig</li><li>gcc.sh was executed after being dropped by HFLgGwYfSC.elf</li><li>A shell command was executed by crond</li><li>SUID/SGID process unix_chkpwd executed</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" width="800" height="362" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-20.-Microsoft-365-Defender-timeline-with-an-event-on-a-suspicious-shell-command-run-by-crond-after-it-was-dropped-from-HFLgGwYfSC.elf_ccexpress.png" alt="" class="wp-image-114492" srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-20.-Microsoft-365-Defender-timeline-with-an-event-on-a-suspicious-shell-command-run-by-crond-after-it-was-dropped-from-HFLgGwYfSC.elf_ccexpress.png 800w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-20.-Microsoft-365-Defender-timeline-with-an-event-on-a-suspicious-shell-command-run-by-crond-after-it-was-dropped-from-HFLgGwYfSC.elf_ccexpress-300x136.png 300w, https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/Figure-20.-Microsoft-365-Defender-timeline-with-an-event-on-a-suspicious-shell-command-run-by-crond-after-it-was-dropped-from-HFLgGwYfSC.elf_ccexpress-768x348.png 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption>Figure 20. Microsoft 365 Defender timeline with an event on a suspicious shell command run by <em>crond </em>after it was dropped from <em>HFLgGwYfSC.elf</em></figcaption></figure>



<h3 id="Hunting_queries">Hunting queries</h3>



<p>To locate malicious activity related to XorDdos activity, run the following advanced hunting queries in Microsoft 365 Defender or Microsoft Defender Security Center:</p>



<p><strong>Failed sign-ins</strong></p>



<pre class="wp-block-preformatted">DeviceLogonEvents
| where InitiatingProcessFileName == "sshd"
    and ActionType == "LogonFailed"
| summarize count() by dayOfYear = datetime_part("dayOfYear", Timestamp)
| sort by dayOfYear 
| render linechart
</pre>



<p><strong>Creation of the XorDdos-specific dropped files</strong></p>



<pre class="wp-block-preformatted">DeviceFileEvents
| extend FullPath=strcat(FolderPath, FileName)
| where FullPath in ("/etc/cron.hourly/gcc.sh", "/lib/libudev.so.6", "/lib/libudev.so", "/var/run/gcc.pid")
</pre>



<p><strong>Command-line of malicious process</strong></p>



<pre class="wp-block-preformatted">DeviceProcessEvents
| where ProcessCommandLine contains "cat resolv.conf"
</pre>



<h2 id="Indicators">Indicators</h2>



<h3>File information</h3>



<figure class="wp-block-table"><table><tbody><tr><td>File name:</td><td>HFLgGwYfSC.elf</td></tr><tr><td>File size:</td><td>611.22 KB (625889 bytes)</td></tr><tr><td>Classification:</td><td>DoS:Linux/Xorddos.A</td></tr><tr><td>MD5:</td><td>2DC6225A9D104A950FB33A74DA262B93</td></tr><tr><td>Sha1:</td><td>F05194FB2B3978611B99CFBF5E5F1DD44CD5E04B</td></tr><tr><td>Sha256:</td><td>F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432</td></tr><tr><td>File type:</td><td>ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped</td></tr><tr><td>First submission in VT:</td><td>2022-01-25 05:32:10 UTC</td></tr></tbody></table></figure>



<h3>Dropped files</h3>



<figure class="wp-block-table"><table><tbody><tr><td><strong>Dropped file path</strong></td><td><strong>File type</strong></td><td><strong>SHA-256</strong></td></tr><tr><td>/etc/init.d/HFLgGwYfSC.elf</td><td>Shell Script</td><td>6E506F32C6FB7B5D342D1382989AB191C6F21C2D311251D8F623814F468952CF</td></tr><tr><td>/etc/cron.hourly/gcc.sh</td><td>Shell Script</td><td>CBB72E542E8F19240130FC9381C2351730D437D42926C6E68E056907C8456459</td></tr><tr><td>/lib/libudev.so</td><td>ELF</td><td>F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432</td></tr><tr><td>/run/gcc.pid</td><td>Text</td><td>932FEEF3AB6FCCB3502F900619B1F87E1CB44A7ADAB48F2C927ECDD67FF6830A</td></tr><tr><td>/usr/bin/djtctpzfdq</td><td>ELF</td><td>53F062A93CF19AEAA2F8481B32118A31B658A126624ABB8A7D82237884F0A394</td></tr><tr><td>/usr/bin/dmpyuitfoq</td><td>ELF</td><td>798577202477C0C233D4AF51C4D8FB2F574DDB3C9D1D90325D359A84CB1BD51C</td></tr><tr><td>/usr/bin/fdinprytpq</td><td>ELF</td><td>2B4500987D50A24BA5C118F506F2507362D6B5C63C80B1984B4AE86641779FF3</td></tr><tr><td>/usr/bin/jwvwvxoupv</td><td>ELF</td><td>359C41DA1CBAE573D2C99F7DA9EEB03DF135F018F6C660B4E44FBD2B4DDECD39</td></tr><tr><td>/usr/bin/kagbjahdic</td><td>ELF</td><td>E6C7EEE304DFC29B19012EF6D31848C0B5BB07362691E4E9633C8581F1C2D65B</td></tr><tr><td>/usr/bin/kkldnszwvq</td><td>ELF</td><td>EF0A4C12D98DC0AD4DB86AADD641389C7219F57F15642ED35B4443DAF3FF8C1E</td></tr><tr><td>/usr/bin/kndmhuqmah</td><td>ELF</td><td>B5FBA27A8E457C1AB6573C378171F057D151DC615D6A8D339195716FA9AC277A</td></tr><tr><td>/usr/bin/qkxqoelrfa</td><td>ELF</td><td>D71EA3B98286D39A711B626F687F0D3FC852C3E3A05DE3F51450FB8F7BD2B0D7</td></tr><tr><td>/usr/bin/sykhrxsazz</td><td>ELF</td><td>9D6F115F31EE71089CC85B18852974E349C68FAD3276145DAFD0076951F32489</td></tr><tr><td>/usr/bin/tcnszvmpqn</td><td>ELF</td><td>360A6258DD66A3BA595A93896D9B55D22406D02E5C02100E5A18382C54E7D5CD</td></tr><tr><td>/usr/bin/zalkpggsgh</td><td>ELF</td><td>DC2B1CEE161EBE90BE68561755D99E66F454AD80B27CEBE3D4773518AC45CBB7</td></tr><tr><td>/usr/bin/zvcarxfquk</td><td>ELF</td><td>175667933088FBEBCB62C8450993422CCC876495299173C646779A9E67501FF4</td></tr><tr><td>/tmp/bin/3200</td><td>ELF(rootkit)</td><td>C8F761D3EF7CD16EBE41042A0DAF901C2FDFFCE96C8E9E1FA0D422C6E31332EA</td></tr></tbody></table></figure>



<h3>Download URLs</h3>



<ul><li>www[.]enoan2107[.]com:3306</li><li>www[.]gzcfr5axf6[.]com:3306</li><li>hxxp://aa[.]hostasa[.]org/config.rar</li></ul>



<p></p>



<p><em><strong>Ratnesh Pandey</strong>, <strong>Yevgeny Kulakov</strong>, and <strong>Jonathan Bar Or</strong><br>Microsoft 365 Defender Research Team</em></p>
	</div><!-- .entry-content -->

			<nav class="c-link-navigation f-align-left custom-link-navigation" aria-labelledby="category-header">
			<h3 id="category-header" class="c-heading">
				Filed under:			</h3>
			<ul class="c-list">
				
				
				<li>
					<a
						href="https://www.microsoft.com/security/blog/"
						class="c-hyperlink"
						data-bi-cn="Cybersecurity"
						data-bi-ct="cta link"
					>Cybersecurity</a>				</li>
							</ul>
		</nav>
	
</article><!-- #post-## -->

			
		</div>

			<div class="related-posts m-product-placement f-app has-heading">
		<h3 class="c-heading c-heading-3">You may also like these articles</h3>		<div class="c-group">
			
	<div data-grid="col-4" class="article-card-wrap">
		<section
            class="m-content-placement-item f-size-medium article-card sharecount-right"
            data-bi-an="card"
        >
			
			<div class="featured-image">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/"
                    data-bi-cn="Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)"
                    data-bi-ct="image link"
                >
					<img srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/KrbRelayUp-privilege-escalation-attack-tool-628e99214d162-440x268.png" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/KrbRelayUp-privilege-escalation-attack-tool-628e99214d162-440x268.png" alt="Male office worker seated at high desk in modern office, using Toshiba laptop (screen not visible). Rows of office workstations are in the background, each with desktop computers (some screens partially visible open to Windows 10 log in page)." class="c-image">
					<span class="x-screen-reader">
						Featured image for Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)					</span>
				</a>
			</div>

			
	<span class="entry-date published">	
		<time datetime="2022-05-25T14:00:00-07:00">
			May 25, 2022		</time>
		&bullet; 8 min read	</span>

			<h3 class="c-heading">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/"
                    data-bi-cn="Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)"
                    data-bi-ct="cta link"
                >Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)</a>
			</h3>

							<div class="c-paragraph">
					<a
                        href="https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/"
                        data-bi-cn="Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)"
                        data-bi-ct="excerpt link"
                    >
						The privilege escalation hacking tool  KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/ SharpMad, Whisker, and ADCSPwn tools in attacks. Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.					</a>
				</div>
			
			<a
                href="https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/"
                class="c-call-to-action c-glyph"
                data-bi-cn="Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)"
                data-bi-ct="more link"
            >
				<span>Read more</span>
				<span class="x-screen-reader"> Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)</span>
			</a>

		</section>
	</div>


	<div data-grid="col-4" class="article-card-wrap">
		<section
            class="m-content-placement-item f-size-medium article-card sharecount-right"
            data-bi-an="card"
        >
			
			<div class="featured-image">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/"
                    data-bi-cn="Anatomy of a DDoS amplification attack"
                    data-bi-ct="image link"
                >
					<img srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/DDoS-Amplification-440x268.jpg" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/DDoS-Amplification-440x268.jpg" alt="Cable cords plugged into a middle of row switch configuration" class="c-image">
					<span class="x-screen-reader">
						Featured image for Anatomy of a DDoS amplification attack					</span>
				</a>
			</div>

			
	<span class="entry-date published">	
		<time datetime="2022-05-23T11:00:00-07:00">
			May 23, 2022		</time>
		&bullet; 8 min read	</span>

			<h3 class="c-heading">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/"
                    data-bi-cn="Anatomy of a DDoS amplification attack"
                    data-bi-ct="cta link"
                >Anatomy of a DDoS amplification attack</a>
			</h3>

							<div class="c-paragraph">
					<a
                        href="https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/"
                        data-bi-cn="Anatomy of a DDoS amplification attack"
                        data-bi-ct="excerpt link"
                    >
						Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives. 					</a>
				</div>
			
			<a
                href="https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/"
                class="c-call-to-action c-glyph"
                data-bi-cn="Anatomy of a DDoS amplification attack"
                data-bi-ct="more link"
            >
				<span>Read more</span>
				<span class="x-screen-reader"> Anatomy of a DDoS amplification attack</span>
			</a>

		</section>
	</div>


	<div data-grid="col-4" class="article-card-wrap">
		<section
            class="m-content-placement-item f-size-medium article-card sharecount-right"
            data-bi-an="card"
        >
			
			<div class="featured-image">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/23/how-to-improve-risk-management-using-zero-trust-architecture/"
                    data-bi-cn="How to improve risk management using Zero Trust architecture"
                    data-bi-ct="image link"
                >
					<img srcset="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/CLO22_Warehouse_017-440x268.jpg" src="https://www.microsoft.com/security/blog/uploads/securityprod/2022/05/CLO22_Warehouse_017-440x268.jpg" alt="Security practitioner looking at desktop screens and working to investigate threats." class="c-image">
					<span class="x-screen-reader">
						Featured image for How to improve risk management using Zero Trust architecture					</span>
				</a>
			</div>

			
	<span class="entry-date published">	
		<time datetime="2022-05-23T10:00:00-07:00">
			May 23, 2022		</time>
		&bullet; 5 min read	</span>

			<h3 class="c-heading">
				<a
                    href="https://www.microsoft.com/security/blog/2022/05/23/how-to-improve-risk-management-using-zero-trust-architecture/"
                    data-bi-cn="How to improve risk management using Zero Trust architecture"
                    data-bi-ct="cta link"
                >How to improve risk management using Zero Trust architecture</a>
			</h3>

							<div class="c-paragraph">
					<a
                        href="https://www.microsoft.com/security/blog/2022/05/23/how-to-improve-risk-management-using-zero-trust-architecture/"
                        data-bi-cn="How to improve risk management using Zero Trust architecture"
                        data-bi-ct="excerpt link"
                    >
						Risk management plays a critical role in helping organizations with their security posture enhancement. Taking insider incidents as an example, they are not only costly to organizations but also time-consuming to be contained. As such, the ROI is maximized in effectively protecting the organizations’ assets as well as ensuring their business operations. Risk management is an ongoing activity. Are the long-established risk management programs in the enterprises staying on top of the evolving digital and threat landscapes?					</a>
				</div>
			
			<a
                href="https://www.microsoft.com/security/blog/2022/05/23/how-to-improve-risk-management-using-zero-trust-architecture/"
                class="c-call-to-action c-glyph"
                data-bi-cn="How to improve risk management using Zero Trust architecture"
                data-bi-ct="more link"
            >
				<span>Read more</span>
				<span class="x-screen-reader"> How to improve risk management using Zero Trust architecture</span>
			</a>

		</section>
	</div>

		</div>
	</div>
				<section class="cta-container" data-bi-an="cta">
				<aside class="product-cta align-image-right">
			<div>
									<div class="content">

													<h3 class="c-heading c-heading-3">Get started with Microsoft Security</h3>
						
													<div class="c-paragraph">
								<p>Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place.</p>
							</div>
						
													<a
								href="https://www.microsoft.com/en-us/security?wt.mc_id=AID730391_QSG_BLOG_319247&#038;ocid=AID730391_QSG_BLOG_319247"
								class="c-call-to-action c-glyph"
								data-bi-cn="Learn more"
								data-bi-ct="cta link"
							>
								<span>Learn more</span>
								<span class="x-screen-reader"> Get started with Microsoft Security</span>
							</a>
											</div>
				
									<div class="image">
						<img width="900" height="360" src="https://www.microsoft.com/security/blog/wp-content/uploads/2021/06/Security_Blog-banner_900x360.png" class="attachment-large size-large" alt="Banner that reads &quot;protect it all with Microsoft Security&quot;" loading="lazy" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2021/06/Security_Blog-banner_900x360.png 900w, https://www.microsoft.com/security/blog/wp-content/uploads/2021/06/Security_Blog-banner_900x360-300x120.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2021/06/Security_Blog-banner_900x360-768x307.png 768w" sizes="(max-width: 900px) 100vw, 900px" />					</div>
							</div>
		</aside>

			</section>
	
	</main><!-- #mainContent -->


	<footer class="site-footer">

		
	<div class="follow-us-banner">
		<div class="wrap" data-grid="container">
			Get all the news, updates, and more at 
	<div class="follow-us-link-container" data-bi-an="social-cta">
		<a
			class="follow-us-banner-link"
			href="https://twitter.com/@MSFTSecurity"
			target="_blank"
			data-bi-cn="follow us on twitter"
			data-bi-ct="cta link"
		>
			@MSFTSecurity		</a>
		<svg class="icon icon-twitter" aria-hidden="true"><title>twitter</title><use xlink:href="#icon-twitter"></use></svg>	</div>

			</div>
	</div>


		<div class="social-bar">
			<div data-grid="container">
				<div class="c-group f-wrap-items">
									</div>
			</div>
		</div>
	</footer>

	<!-- start universal footer -->
			<div id="footerArea" class="uhf"  data-m='{"cN":"footerArea","cT":"Area_coreuiArea","id":"a2Body","sN":2,"aN":"Body"}'>
                <div id="footerRegion"      data-region-key="footerregion" data-m='{"cN":"footerRegion","cT":"Region_coreui-region","id":"r1a2","sN":1,"aN":"a2"}' >

    <div  id="footerUniversalFooter" data-m='{"cN":"footerUniversalFooter","cT":"Module_coreui-universalfooter","id":"m1r1a2","sN":1,"aN":"r1a2"}'  data-module-id="Category|footerRegion|coreui-region|footerUniversalFooter|coreui-universalfooter">
        



<footer id="uhf-footer" class="c-uhff context-uhf"  data-uhf-mscc-rq="false" data-footer-footprint="/MSSecurity/MSSecurityFooter, fromService: True" data-m='{"cN":"Uhf footer_cont","cT":"Container","id":"c1m1r1a2","sN":1,"aN":"m1r1a2"}'>
        <nav class="c-uhff-nav" aria-label="Footer Resource links" data-m='{"cN":"Footer nav_cont","cT":"Container","id":"c1c1m1r1a2","sN":1,"aN":"c1m1r1a2"}'>
            
                <div class="c-uhff-nav-row">
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn1_cont","cT":"Container","id":"c1c1c1m1r1a2","sN":1,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">What&#39;s new</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Surface Pro 8 What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/d/surface-pro-8/8QWCRTQ8V8XG" data-m='{"cN":"Footer_WhatsNew_NewSurfacePro8_nav","id":"n1c1c1c1m1r1a2","sN":1,"aN":"c1c1c1m1r1a2"}'>Surface Pro 8</a>
                            </li>
                            <li>
                                <a aria-label="Surface Laptop Studio What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/d/surface-laptop-studio/8SRDF62SWKPF" data-m='{"cN":"Footer_WhatsNew_SurfaceLaptopStudio_nav","id":"n2c1c1c1m1r1a2","sN":2,"aN":"c1c1c1m1r1a2"}'>Surface Laptop Studio</a>
                            </li>
                            <li>
                                <a aria-label="Surface Pro X What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/d/surface-pro-x/8XTMB6C575MD" data-m='{"cN":"Whatsnew_SurfaceProX_nav","id":"n3c1c1c1m1r1a2","sN":3,"aN":"c1c1c1m1r1a2"}'>Surface Pro X</a>
                            </li>
                            <li>
                                <a aria-label="Surface Go 3 What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/d/surface-go-3/904H27D0CBWN" data-m='{"cN":"Footer_WhatsNew_SurfaceGo3_nav","id":"n4c1c1c1m1r1a2","sN":4,"aN":"c1c1c1m1r1a2"}'>Surface Go 3</a>
                            </li>
                            <li>
                                <a aria-label="Surface Duo 2 What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/d/surface-duo-2/9408KGXP4XJL" data-m='{"cN":"Footer_WhatsNew_SurfaceDuo2_nav","id":"n5c1c1c1m1r1a2","sN":5,"aN":"c1c1c1m1r1a2"}'>Surface Duo 2</a>
                            </li>
                            <li>
                                <a aria-label="Surface Pro 7+ What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/es-us/d/surface-pro-7-plus/92WRLRCVZ4PR" data-m='{"cN":"Whatsnew_SurfacePro7_nav","id":"n6c1c1c1m1r1a2","sN":6,"aN":"c1c1c1m1r1a2"}'>Surface Pro 7+</a>
                            </li>
                            <li>
                                <a aria-label="Windows 11 apps What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/windows/windows-11-apps" data-m='{"cN":"Footer_WhatsNew_Windows_11_apps_nav","id":"n7c1c1c1m1r1a2","sN":7,"aN":"c1c1c1m1r1a2"}'>Windows 11 apps</a>
                            </li>
                            <li>
                                <a aria-label="HoloLens 2 What&#39;s new" class="c-uhff-link" href="https://www.microsoft.com/en-us/hololens" data-m='{"cN":"Footer_WhatsNew_Hololens2_nav","id":"n8c1c1c1m1r1a2","sN":8,"aN":"c1c1c1m1r1a2"}'>HoloLens 2</a>
                            </li>

                        </ul>
                        
                    </div>
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn2_cont","cT":"Container","id":"c2c1c1m1r1a2","sN":2,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">Microsoft Store</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Account profile Microsoft Store" class="c-uhff-link" href="https://account.microsoft.com/" data-m='{"cN":"Footer_StoreandSupport_AccountProfile_nav","id":"n1c2c1c1m1r1a2","sN":1,"aN":"c2c1c1m1r1a2"}'>Account profile</a>
                            </li>
                            <li>
                                <a aria-label="Download Center Microsoft Store" class="c-uhff-link" href="https://www.microsoft.com/en-us/download" data-m='{"cN":"Footer_StoreandSupport_DownloadCenter_nav","id":"n2c2c1c1m1r1a2","sN":2,"aN":"c2c1c1m1r1a2"}'>Download Center</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Store support Microsoft Store" class="c-uhff-link" href="https://go.microsoft.com/fwlink/?linkid=2139749" data-m='{"cN":"Footer_StoreandSupport_SalesAndSupport_nav","id":"n3c2c1c1m1r1a2","sN":3,"aN":"c2c1c1m1r1a2"}'>Microsoft Store support</a>
                            </li>
                            <li>
                                <a aria-label="Returns Microsoft Store" class="c-uhff-link" href="https://go.microsoft.com/fwlink/p/?LinkID=824764&amp;clcid=0x409" data-m='{"cN":"MicrosoftStore_ExtendedHolidayReturns_nav","id":"n4c2c1c1m1r1a2","sN":4,"aN":"c2c1c1m1r1a2"}'>Returns</a>
                            </li>
                            <li>
                                <a aria-label="Order tracking Microsoft Store" class="c-uhff-link" href="https://account.microsoft.com/orders" data-m='{"cN":"Footer_StoreandSupport_OrderTracking_nav","id":"n5c2c1c1m1r1a2","sN":5,"aN":"c2c1c1m1r1a2"}'>Order tracking</a>
                            </li>
                            <li>
                                <a aria-label="Virtual workshops and training Microsoft Store" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/workshops-training-and-events?icid=vl_uf_932020" data-m='{"cN":"Footer_StoreandSupport_StoreLocations_nav","id":"n6c2c1c1m1r1a2","sN":6,"aN":"c2c1c1m1r1a2"}'>Virtual workshops and training</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Store Promise Microsoft Store" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/why-microsoft-store?icid=footer_why-msft-store_7102020" data-m='{"cN":"Footer_StoreandSupport_MicrosoftPromise_nav","id":"n7c2c1c1m1r1a2","sN":7,"aN":"c2c1c1m1r1a2"}'>Microsoft Store Promise</a>
                            </li>
                            <li>
                                <a aria-label="Flexible Payments Microsoft Store" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/payment-financing-options?icid=footer_financing_vcc" data-m='{"cN":"Footer_StoreandSupport_Financing_nav","id":"n8c2c1c1m1r1a2","sN":8,"aN":"c2c1c1m1r1a2"}'>Flexible Payments</a>
                            </li>

                        </ul>
                        
                    </div>
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn3_cont","cT":"Container","id":"c3c1c1m1r1a2","sN":3,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">Education</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Microsoft in education Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/education" data-m='{"cN":"Footer_Education_MicrosoftInEducation_nav","id":"n1c3c1c1m1r1a2","sN":1,"aN":"c3c1c1m1r1a2"}'>Microsoft in education</a>
                            </li>
                            <li>
                                <a aria-label="Devices for education Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/education/devices/overview" data-m='{"cN":"Footer_Education_DevicesforEducation_nav","id":"n2c3c1c1m1r1a2","sN":2,"aN":"c3c1c1m1r1a2"}'>Devices for education</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Teams for Education Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/education/products/teams" data-m='{"cN":"Footer_Education_MicrosoftTeamsforEducation_nav","id":"n3c3c1c1m1r1a2","sN":3,"aN":"c3c1c1m1r1a2"}'>Microsoft Teams for Education</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft 365 Education Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/education/buy-license/microsoft365" data-m='{"cN":"Footer_Education_Microsoft365Education_nav","id":"n4c3c1c1m1r1a2","sN":4,"aN":"c3c1c1m1r1a2"}'>Microsoft 365 Education</a>
                            </li>
                            <li>
                                <a aria-label="Education consultation appointment Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/business-consultation?tab=educationconsultation&amp;icid=CNavfooter_educationconsultation" data-m='{"cN":"Footer_Education_ConsultationAppointment_nav","id":"n5c3c1c1m1r1a2","sN":5,"aN":"c3c1c1m1r1a2"}'>Education consultation appointment</a>
                            </li>
                            <li>
                                <a aria-label="Educator training and development Education" class="c-uhff-link" href="https://education.microsoft.com/" data-m='{"cN":"Footer_Education_EducatorTrainingDevelopment_nav","id":"n6c3c1c1m1r1a2","sN":6,"aN":"c3c1c1m1r1a2"}'>Educator training and development</a>
                            </li>
                            <li>
                                <a aria-label="Deals for students and parents Education" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/education" data-m='{"cN":"Footer_Education_DealsForStudentsandParents_nav","id":"n7c3c1c1m1r1a2","sN":7,"aN":"c3c1c1m1r1a2"}'>Deals for students and parents</a>
                            </li>
                            <li>
                                <a aria-label="Azure for students Education" class="c-uhff-link" href="https://azure.microsoft.com/en-us/free/students/" data-m='{"cN":"Footer_Azureforstudents_nav","id":"n8c3c1c1m1r1a2","sN":8,"aN":"c3c1c1m1r1a2"}'>Azure for students</a>
                            </li>

                        </ul>
                        
                    </div>
                </div>
                <div class="c-uhff-nav-row">
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn4_cont","cT":"Container","id":"c4c1c1m1r1a2","sN":4,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">Business</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Microsoft Cloud Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/microsoft-cloud" data-m='{"cN":"Footer_Business_Microsoft_Cloud_nav","id":"n1c4c1c1m1r1a2","sN":1,"aN":"c4c1c1m1r1a2"}'>Microsoft Cloud</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Security Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/security" data-m='{"cN":"Footer_Business_Microsoft Security_nav","id":"n2c4c1c1m1r1a2","sN":2,"aN":"c4c1c1m1r1a2"}'>Microsoft Security</a>
                            </li>
                            <li>
                                <a aria-label="Dynamics 365 Business" class="c-uhff-link" href="https://dynamics.microsoft.com/en-us/" data-m='{"cN":"Footer_Business_MicrosoftDynamics365_nav","id":"n3c4c1c1m1r1a2","sN":3,"aN":"c4c1c1m1r1a2"}'>Dynamics 365</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft 365 Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/microsoft-365/business/" data-m='{"cN":"More_Business_Microsoft365_nav","id":"n4c4c1c1m1r1a2","sN":4,"aN":"c4c1c1m1r1a2"}'>Microsoft 365</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Power Platform Business" class="c-uhff-link" href="https://powerplatform.microsoft.com/en-us/" data-m='{"cN":"Footer_DeveloperAndIT_Power Platform_nav","id":"n5c4c1c1m1r1a2","sN":5,"aN":"c4c1c1m1r1a2"}'>Microsoft Power Platform</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Teams Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/microsoft-teams/group-chat-software" data-m='{"cN":"Footer_Business_Microsoft365_nav","id":"n6c4c1c1m1r1a2","sN":6,"aN":"c4c1c1m1r1a2"}'>Microsoft Teams</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Industry Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/industry" data-m='{"cN":"Footer_Business_MicrosoftIndustry_nav","id":"n7c4c1c1m1r1a2","sN":7,"aN":"c4c1c1m1r1a2"}'>Microsoft Industry</a>
                            </li>
                            <li>
                                <a aria-label="Small Business Business" class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/business?icid=CNavBusinessStore" data-m='{"cN":"Footer_Business-SmallBusiness_nav","id":"n8c4c1c1m1r1a2","sN":8,"aN":"c4c1c1m1r1a2"}'>Small Business</a>
                            </li>

                        </ul>
                        
                    </div>
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn5_cont","cT":"Container","id":"c5c1c1m1r1a2","sN":5,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">Developer &amp; IT</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Azure Developer &amp; IT" class="c-uhff-link" href="https://azure.microsoft.com/en-us/" data-m='{"cN":"Footer_Enterprise_MicrosoftAzure_nav","id":"n1c5c1c1m1r1a2","sN":1,"aN":"c5c1c1m1r1a2"}'>Azure</a>
                            </li>
                            <li>
                                <a aria-label="Developer Center Developer &amp; IT" class="c-uhff-link" href="https://developer.microsoft.com/en-us/" data-m='{"cN":"Footer_Developer_DeveloperCenter_nav","id":"n2c5c1c1m1r1a2","sN":2,"aN":"c5c1c1m1r1a2"}'>Developer Center</a>
                            </li>
                            <li>
                                <a aria-label="Documentation Developer &amp; IT" class="c-uhff-link" href="https://docs.microsoft.com/en-us/" data-m='{"cN":"Footer_DeveloperAndIT_Documentation_nav","id":"n3c5c1c1m1r1a2","sN":3,"aN":"c5c1c1m1r1a2"}'>Documentation</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Learn Developer &amp; IT" class="c-uhff-link" href="https://docs.microsoft.com/en-us/learn/" data-m='{"cN":"Footer_DeveloperAndIT_MicrosoftLearn_nav","id":"n4c5c1c1m1r1a2","sN":4,"aN":"c5c1c1m1r1a2"}'>Microsoft Learn</a>
                            </li>
                            <li>
                                <a aria-label="Microsoft Tech Community Developer &amp; IT" class="c-uhff-link" href="https://techcommunity.microsoft.com/" data-m='{"cN":"Footer_DeveloperAndIT_MicrosoftTechCommunity_nav","id":"n5c5c1c1m1r1a2","sN":5,"aN":"c5c1c1m1r1a2"}'>Microsoft Tech Community</a>
                            </li>
                            <li>
                                <a aria-label="Azure Marketplace Developer &amp; IT" class="c-uhff-link" href="https://azuremarketplace.microsoft.com/en-us/" data-m='{"cN":"More_DeveloperAndIT_AzureMarketplace_nav","id":"n6c5c1c1m1r1a2","sN":6,"aN":"c5c1c1m1r1a2"}'>Azure Marketplace</a>
                            </li>
                            <li>
                                <a aria-label="AppSource Developer &amp; IT" class="c-uhff-link" href="https://appsource.microsoft.com/en-us/" data-m='{"cN":"Footer_DeveloperAndIT_AppSource_nav","id":"n7c5c1c1m1r1a2","sN":7,"aN":"c5c1c1m1r1a2"}'>AppSource</a>
                            </li>
                            <li>
                                <a aria-label="Visual Studio Developer &amp; IT" class="c-uhff-link" href="https://visualstudio.microsoft.com/" data-m='{"cN":"Footer_Developer_MicrosoftVisualStudio_nav","id":"n8c5c1c1m1r1a2","sN":8,"aN":"c5c1c1m1r1a2"}'>Visual Studio</a>
                            </li>

                        </ul>
                        
                    </div>
                    <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn6_cont","cT":"Container","id":"c6c1c1m1r1a2","sN":6,"aN":"c1c1m1r1a2"}'>
                        <div class="c-heading-4" role="heading" aria-level="2">Company</div>
                        <ul class="c-list f-bare">
                            <li>
                                <a aria-label="Careers Company" class="c-uhff-link" href="https://careers.microsoft.com/" data-m='{"cN":"Footer_Company_Careers_nav","id":"n1c6c1c1m1r1a2","sN":1,"aN":"c6c1c1m1r1a2"}'>Careers</a>
                            </li>
                            <li>
                                <a aria-label="About Microsoft Company" class="c-uhff-link" href="https://www.microsoft.com/en-us/about" data-m='{"cN":"Footer_Company_AboutMicrosoft_nav","id":"n2c6c1c1m1r1a2","sN":2,"aN":"c6c1c1m1r1a2"}'>About Microsoft</a>
                            </li>
                            <li>
                                <a aria-label="Company news Company" class="c-uhff-link" href="https://news.microsoft.com/" data-m='{"cN":"Footer_Company_CompanyNews_nav","id":"n3c6c1c1m1r1a2","sN":3,"aN":"c6c1c1m1r1a2"}'>Company news</a>
                            </li>
                            <li>
                                <a aria-label="Privacy at Microsoft Company" class="c-uhff-link" href="https://privacy.microsoft.com/en-us" data-m='{"cN":"Footer_Company_PrivacyAtMicrosoft_nav","id":"n4c6c1c1m1r1a2","sN":4,"aN":"c6c1c1m1r1a2"}'>Privacy at Microsoft</a>
                            </li>
                            <li>
                                <a aria-label="Investors Company" class="c-uhff-link" href="https://www.microsoft.com/investor/default.aspx" data-m='{"cN":"Footer_Company_Investors_nav","id":"n5c6c1c1m1r1a2","sN":5,"aN":"c6c1c1m1r1a2"}'>Investors</a>
                            </li>
                            <li>
                                <a aria-label="Diversity and inclusion Company" class="c-uhff-link" href="https://www.microsoft.com/en-us/diversity/" data-m='{"cN":"Footer_Company_DiversityAndInclusion_nav","id":"n6c6c1c1m1r1a2","sN":6,"aN":"c6c1c1m1r1a2"}'>Diversity and inclusion</a>
                            </li>
                            <li>
                                <a aria-label="Accessibility Company" class="c-uhff-link" href="https://www.microsoft.com/en-us/accessibility" data-m='{"cN":"Footer_Company_Accessibility_nav","id":"n7c6c1c1m1r1a2","sN":7,"aN":"c6c1c1m1r1a2"}'>Accessibility</a>
                            </li>
                            <li>
                                <a aria-label="Sustainability Company" class="c-uhff-link" href="https://www.microsoft.com/en-us/sustainability/" data-m='{"cN":"Footer_Company_Sustainability_nav","id":"n8c6c1c1m1r1a2","sN":8,"aN":"c6c1c1m1r1a2"}'>Sustainability</a>
                            </li>

                        </ul>
                        
                    </div>
                </div>
        </nav>
    <div class="c-uhff-base">
                <a id="locale-picker-link" aria-label="Content Language Selector. Currently set to English (United States)" class="c-uhff-link c-uhff-lang-selector c-glyph glyph-world" href="https://www.microsoft.com/en-us/microsoft-365/locale" data-m='{"cN":"locale_picker(US)_nav","id":"n7c1c1m1r1a2","sN":7,"aN":"c1c1m1r1a2"}'>English (United States)</a>

        <nav aria-label="Microsoft corporate links">
            <ul class="c-list f-bare" data-m='{"cN":"Corp links_cont","cT":"Container","id":"c8c1c1m1r1a2","sN":8,"aN":"c1c1m1r1a2"}'>
                                <li  id="c-uhff-footer_sitemap">
                    <a class="c-uhff-link" href="https://www.microsoft.com/en-us/sitemap1.aspx" data-mscc-ic="false" data-m='{"cN":"Footer_Sitemap_nav","id":"n1c8c1c1m1r1a2","sN":1,"aN":"c8c1c1m1r1a2"}'>Sitemap</a>
                </li>
                <li  id="c-uhff-footer_contactus">
                    <a class="c-uhff-link" href="https://support.microsoft.com/contactus" data-mscc-ic="false" data-m='{"cN":"Footer_ContactUs_nav","id":"n2c8c1c1m1r1a2","sN":2,"aN":"c8c1c1m1r1a2"}'>Contact Microsoft</a>
                </li>
                <li  id="c-uhff-footer_privacyandcookies">
                    <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-mscc-ic="false" data-m='{"cN":"Footer_PrivacyandCookies_nav","id":"n3c8c1c1m1r1a2","sN":3,"aN":"c8c1c1m1r1a2"}'>Privacy </a>
                </li>
                <li class=" x-hidden" id="c-uhff-footer_managecookies">
                    <a class="c-uhff-link" href="#" data-mscc-ic="false" data-m='{"cN":"Footer_ManageCookies_nav","id":"n4c8c1c1m1r1a2","sN":4,"aN":"c8c1c1m1r1a2"}'>Manage cookies</a>
                </li>
                <li  id="c-uhff-footer_termsofuse">
                    <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?LinkID=206977" data-mscc-ic="false" data-m='{"cN":"Footer_TermsOfUse_nav","id":"n5c8c1c1m1r1a2","sN":5,"aN":"c8c1c1m1r1a2"}'>Terms of use</a>
                </li>
                <li  id="c-uhff-footer_trademarks">
                    <a class="c-uhff-link" href="https://www.microsoft.com/trademarks" data-mscc-ic="false" data-m='{"cN":"Footer_Trademarks_nav","id":"n6c8c1c1m1r1a2","sN":6,"aN":"c8c1c1m1r1a2"}'>Trademarks</a>
                </li>
                <li  id="c-uhff-footer_safetyandeco">
                    <a class="c-uhff-link" href="https://www.microsoft.com/en-us/devices/safety-and-eco " data-mscc-ic="false" data-m='{"cN":"Footer_SafetyAndEco_nav","id":"n7c8c1c1m1r1a2","sN":7,"aN":"c8c1c1m1r1a2"}'>Safety &amp; eco</a>
                </li>
                <li  id="c-uhff-footer_aboutourads">
                    <a class="c-uhff-link" href="https://choice.microsoft.com" data-mscc-ic="false" data-m='{"cN":"Footer_AboutourAds_nav","id":"n8c8c1c1m1r1a2","sN":8,"aN":"c8c1c1m1r1a2"}'>About our ads</a>
                </li>

                <li>&#169; Microsoft 2022</li>
                
            </ul>
        </nav>
    </div>
    
</footer>




    </div>
        </div>

    </div>		<!-- end universal footer -->

</div><!-- #page -->
	<script>
		function onConsentChanged( categoryPreferences ) {
			dropAnalyticsCookies();
			dropAdvertisingCookies();
			dropSocialMediaCookies();
		}

		function dropAnalyticsCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Analytics ) ) {
								console.log( 'analytics cookies dropped' );

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Advertising ) ) {
										console.log( 'dual_ad_analytics cookies dropped' );

					if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
													if ( typeof linkedinTracking === "function" ) {
								linkedinTracking(); 
							}
													if ( typeof gdcTracking === "function" ) {
								gdcTracking(); 
							}
												console.log( 'all categories cookies dropped' );
					}
				}

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
										console.log( 'dual_analytics_social cookies dropped' );
				}
			}
		}

		function dropAdvertisingCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Advertising ) ) {
								console.log( 'advertising cookies dropped' );

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
										console.log( 'dual_ad_social cookies dropped' );
				}
			}
		}

		function dropSocialMediaCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
								console.log( 'social cookies dropped' );
			}
		}

		window.WcpConsent && WcpConsent.init( "en-US", "ms-cookie-banner", function (err, _siteConsent) {
			if ( ! err ) {
				siteConsent = _siteConsent;  //siteConsent is used to get the current consent

				var consentRequiredElementExists = document.getElementById( "c-uhff-footer_managecookies" ) && siteConsent.isConsentRequired;

				if ( consentRequiredElementExists ) {
					document.getElementById( "c-uhff-footer_managecookies" ).classList.remove("x-hidden");
					document.getElementById( "c-uhff-footer_managecookies" ).onclick = function() {
						siteConsent.manageConsent();
					};
				}

				dropAdvertisingCookies();
				dropAnalyticsCookies();
				dropSocialMediaCookies();

			} else {
				console.log( "Error initializing WcpConsent: " + err );
			}
		}, onConsentChanged );
	</script>
	<script type="text/javascript">var addthis_config = { 'data_track_addressbar' : false };</script>		<script type="text/javascript">

			const interval = setInterval(function() {
				$('.mectrl_profilepic').parent().parent().parent().parent().remove();
			}, 100);

			const check_interval = setInterval(function() {
				if( 0 === $('.mectrl_profilepic').length ) {
					clearInterval( interval );
					clearInterval( check_interval );
				}
			}, 5000);

		</script>
		<!-- JSLL tracking -->
	<script>
		// 1DS initialization
		const analytics = new oneDS.ApplicationInsights();
		var config = {
			instrumentationKey: "cb68b8f590184975aa5eb4ed576fb074-e666ac9b-fa31-4339-8b9c-775f4bae31f3-6978",
			propertyConfiguration: {
				callback: {
					userConsentDetails: siteConsent ? siteConsent.getConsent : null
				},
			},
			webAnalyticsConfiguration:{
				coreData: {"pageName":"Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices","pageType":"Post"},
				urlCollectQuery: true,
				urlCollectHash: true,
				autoCapture: {
					scroll: true,
					pageView: true,
					onLoad: true,
					onUnload: true,
					click: true,
					scroll: true,
					resize: true,
					jsError: true
				}
			}
		}; 
		// Initialize OneDS SDK
		analytics.initialize( config, [] );
	</script>
	<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/oembeds/assets/scripts/vendor/focus-within.js?ver=1.1.1' id='ms-oembed-focus-within-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/oembeds/assets/scripts/vendor/libgif.js?ver=1.1.1' id='ms-oembed-lib-gif-js'></script>
<script type='text/javascript' id='ms-oembed-gif-script-js-extra'>
/* <![CDATA[ */
var msgifs = {"play":"Play animated gif","pause":"Pause animated gif"};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/oembeds/assets/scripts/main.js?ver=1.1.1' id='ms-oembed-gif-script-js'></script>
<script type='text/javascript' id='uhf-search-ui-js-extra'>
/* <![CDATA[ */
var WDSMS_SearchWP = {"formAction":"https:\/\/www.microsoft.com\/security\/blog"};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-searchwp/features/uhf-search-ui/uhf-search-ui.js?ver=1.0.1' id='uhf-search-ui-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/bower_components/modernizer/modernizr.js?ver=2.8.2' id='modernizr-js'></script>
<script type='text/javascript' src='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/scripts/mwf-auto-init-main.var.min.js?ver=v1.23.2+5182151' id='mwf-init-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/bower_components/picturefill/dist/picturefill.min.js?ver=3.0.3' id='picturefill-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/imagesloaded.min.js?ver=4.1.4' id='imagesloaded-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/masonry.min.js?ver=4.2.2' id='masonry-js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/scripts/project.min.js?ver=1.0.1' id='microsoft-child-scripts-js'></script>
<script type='text/javascript' id='microsoft-uhf-js-extra'>
/* <![CDATA[ */
var microsoftUhfSettings = {"homePath":"\/security\/blog\/","loginUrl":"","logoutUrl":"","scripts":[],"inline":[]};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/microsoft-uhf/assets/microsoft-uhf.js?ver=0.3.9' id='microsoft-uhf-js'></script>
<svg xmlns="http://www.w3.org/2000/svg" style="display:none"><symbol id="icon-bars" viewBox="0 0 24 28"><path d="M24 21v2q0 .406-.297.703T23 24H1q-.406 0-.703-.297T0 23v-2q0-.406.297-.703T1 20h22q.406 0 .703.297T24 21zm0-8v2q0 .406-.297.703T23 16H1q-.406 0-.703-.297T0 15v-2q0-.406.297-.703T1 12h22q.406 0 .703.297T24 13zm0-8v2q0 .406-.297.703T23 8H1q-.406 0-.703-.297T0 7V5q0-.406.297-.703T1 4h22q.406 0 .703.297T24 5z"/></symbol><symbol id="icon-close" viewBox="0 0 22 28"><path d="M20.281 20.656q0 .625-.438 1.062l-2.125 2.125q-.438.438-1.062.438t-1.062-.438L11 19.249l-4.594 4.594q-.438.438-1.062.438t-1.062-.438l-2.125-2.125q-.438-.438-.438-1.062t.438-1.062L6.751 15l-4.594-4.594q-.438-.438-.438-1.062t.438-1.062l2.125-2.125q.438-.438 1.062-.438t1.062.438L11 10.751l4.594-4.594q.438-.438 1.062-.438t1.062.438l2.125 2.125q.438.438.438 1.062t-.438 1.062L15.249 15l4.594 4.594q.438.438.438 1.062z"/></symbol><symbol id="icon-facebook-square" viewBox="0 0 24 28"><path d="M19.5 2q1.859 0 3.18 1.32T24 6.5v15q0 1.859-1.32 3.18T19.5 26h-2.938v-9.297h3.109l.469-3.625h-3.578v-2.312q0-.875.367-1.313t1.43-.438l1.906-.016V5.765q-.984-.141-2.781-.141-2.125 0-3.398 1.25t-1.273 3.531v2.672H9.688v3.625h3.125v9.297H4.5q-1.859 0-3.18-1.32T0 21.499v-15q0-1.859 1.32-3.18t3.18-1.32h15z"/></symbol><symbol id="icon-facebook" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></symbol><symbol id="icon-instagram" viewBox="0 0 32 32"><path d="M16 2.881c4.275 0 4.781.019 6.462.094 1.563.069 2.406.331 2.969.55a4.952 4.952 0 0 1 1.837 1.194 5.015 5.015 0 0 1 1.2 1.838c.219.563.481 1.412.55 2.969.075 1.688.094 2.194.094 6.463s-.019 4.781-.094 6.463c-.069 1.563-.331 2.406-.55 2.969a4.94 4.94 0 0 1-1.194 1.837 5.02 5.02 0 0 1-1.837 1.2c-.563.219-1.413.481-2.969.55-1.688.075-2.194.094-6.463.094s-4.781-.019-6.463-.094c-1.563-.069-2.406-.331-2.969-.55a4.952 4.952 0 0 1-1.838-1.194 5.02 5.02 0 0 1-1.2-1.837c-.219-.563-.481-1.413-.55-2.969-.075-1.688-.094-2.194-.094-6.463s.019-4.781.094-6.463c.069-1.563.331-2.406.55-2.969a4.964 4.964 0 0 1 1.194-1.838 5.015 5.015 0 0 1 1.838-1.2c.563-.219 1.412-.481 2.969-.55 1.681-.075 2.188-.094 6.463-.094zM16 0c-4.344 0-4.887.019-6.594.094-1.7.075-2.869.35-3.881.744-1.056.412-1.95.956-2.837 1.85a7.833 7.833 0 0 0-1.85 2.831C.444 6.538.169 7.7.094 9.4.019 11.113 0 11.656 0 16s.019 4.887.094 6.594c.075 1.7.35 2.869.744 3.881.413 1.056.956 1.95 1.85 2.837a7.82 7.82 0 0 0 2.831 1.844c1.019.394 2.181.669 3.881.744 1.706.075 2.25.094 6.594.094s4.888-.019 6.594-.094c1.7-.075 2.869-.35 3.881-.744 1.05-.406 1.944-.956 2.831-1.844s1.438-1.781 1.844-2.831c.394-1.019.669-2.181.744-3.881.075-1.706.094-2.25.094-6.594s-.019-4.887-.094-6.594c-.075-1.7-.35-2.869-.744-3.881a7.506 7.506 0 0 0-1.831-2.844A7.82 7.82 0 0 0 26.482.843C25.463.449 24.301.174 22.601.099c-1.712-.081-2.256-.1-6.6-.1z"/><path d="M16 7.781c-4.537 0-8.219 3.681-8.219 8.219s3.681 8.219 8.219 8.219 8.219-3.681 8.219-8.219A8.221 8.221 0 0 0 16 7.781zm0 13.55a5.331 5.331 0 1 1 0-10.663 5.331 5.331 0 0 1 0 10.663zM26.462 7.456a1.919 1.919 0 1 1-3.838 0 1.919 1.919 0 0 1 3.838 0z"/></symbol><symbol id="icon-linkedin-square" viewBox="0 0 24 28"><path d="M3.703 22.094h3.609V11.25H3.703v10.844zM7.547 7.906q-.016-.812-.562-1.344t-1.453-.531-1.477.531-.57 1.344q0 .797.555 1.336t1.445.539h.016q.922 0 1.484-.539t.562-1.336zm9.141 14.188h3.609v-6.219q0-2.406-1.141-3.641T16.14 11q-2.125 0-3.266 1.828h.031V11.25H9.296q.047 1.031 0 10.844h3.609v-6.062q0-.594.109-.875.234-.547.703-.93t1.156-.383q1.813 0 1.813 2.453v5.797zM24 6.5v15q0 1.859-1.32 3.18T19.5 26h-15q-1.859 0-3.18-1.32T0 21.5v-15q0-1.859 1.32-3.18T4.5 2h15q1.859 0 3.18 1.32T24 6.5z"/></symbol><symbol id="icon-linkedin" viewBox="0 0 32 32"><path d="M12 12h5.535v2.837h.079c.77-1.381 2.655-2.837 5.464-2.837C28.92 12 30 15.637 30 20.367V30h-5.769v-8.54c0-2.037-.042-4.657-3.001-4.657-3.005 0-3.463 2.218-3.463 4.509V30H12V12zM2 12h6v18H2V12zM8 7a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/></symbol><symbol id="icon-nav-arrow" viewBox="0 0 11 8"><style>.st0{fill:none;stroke:#2f2f2f;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10}</style><path d="M.7 1.3l4.8 5.4 4.8-5.4"/></symbol><symbol id="icon-twitter-square" viewBox="0 0 24 28"><path d="M20 9.531q-.875.391-1.891.531 1.062-.625 1.453-1.828-1.016.594-2.094.797Q16.515 8 15.077 8q-1.359 0-2.32.961t-.961 2.32q0 .453.078.75-2.016-.109-3.781-1.016t-3-2.422q-.453.781-.453 1.656 0 1.781 1.422 2.734-.734-.016-1.563-.406v.031q0 1.172.781 2.086t1.922 1.133q-.453.125-.797.125-.203 0-.609-.063.328.984 1.164 1.625t1.898.656q-1.813 1.406-4.078 1.406-.406 0-.781-.047 2.312 1.469 5.031 1.469 1.75 0 3.281-.555t2.625-1.484 1.883-2.141 1.172-2.531.383-2.633q0-.281-.016-.422.984-.703 1.641-1.703zM24 6.5v15q0 1.859-1.32 3.18T19.5 26h-15q-1.859 0-3.18-1.32T0 21.5v-15q0-1.859 1.32-3.18T4.5 2h15q1.859 0 3.18 1.32T24 6.5z"/></symbol><symbol id="icon-twitter" viewBox="0 0 32 32"><path d="M32 7.075a12.941 12.941 0 0 1-3.769 1.031 6.601 6.601 0 0 0 2.887-3.631 13.21 13.21 0 0 1-4.169 1.594A6.565 6.565 0 0 0 22.155 4a6.563 6.563 0 0 0-6.563 6.563c0 .512.056 1.012.169 1.494A18.635 18.635 0 0 1 2.23 5.195a6.56 6.56 0 0 0-.887 3.3 6.557 6.557 0 0 0 2.919 5.463 6.565 6.565 0 0 1-2.975-.819v.081a6.565 6.565 0 0 0 5.269 6.437 6.574 6.574 0 0 1-2.968.112 6.588 6.588 0 0 0 6.131 4.563 13.17 13.17 0 0 1-9.725 2.719 18.568 18.568 0 0 0 10.069 2.95c12.075 0 18.681-10.006 18.681-18.681 0-.287-.006-.569-.019-.85A13.216 13.216 0 0 0 32 7.076z"/></symbol></svg>
</body>
</html>
<!--
	generated 67 seconds ago
	generated in 0.234 seconds
	served from batcache in 0.004 seconds
	expires in 233 seconds
-->
